[Freeipa-users] Freeipa 4.4 creating users with expiration
Hello, Am using Freeipa 4.4 version . I would like to create few users only valid for few days or months. So,is there a way to create few users with a preset expiration or auto lock those accounts after a few days Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa hostbased auth "connection closed"
Hi, I am running a freeipa server version 4.4.0 and have setup hbac rules which work fine However, just on one single host , I am seeing this issue wherein it is not allowing me ssh access. When I check my hbac permissions.. it say access granted but on trying to login.. it blocks me On the Freeipa server ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd Access granted: True Matched rules: ipa-alluser-access Not matched rules: ipa-alluser-sudo-access On the client I get this message while doing an ssh "Connection closed by 10.0.30.28". In /var/log/secure I see these messages Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user p-testhbac: 4 (System error) Feb 5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 port 40540 ssh2 Feb 5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by PAM account configuration [preauth] /var/log/sssd/sssd_domain.log I see this error at the end, (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x1000): Waiting for child [26795]. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0020): child [26795] failed with status [1]. But few lines above.. I see that I was allowed in by the hbac rule. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access]. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [ipa-alluser-access] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler finished [0]: Success (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in per the HBAC rule Not sure whats blocking me.. Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
I was seeing a lot of entries in the krb5kdc.log like below "krb5kdc[10403](info): TGS_REQ (4 etypes {18 17 16 23}) 10.1.4.219: ISSUE: authtime 1485450918, etypes {rep=18 tkt=18 ses=18}, host/my-host@MYDOMAIN" On one env.. where users rarely log in... even there I see a lot of such requests. Finally , I think I was able to track this down.. there are few local accounts ( non freeipa ) on my hosts . These are used to run some custom scripts through cron and run frequently ( every few mins ). So, I feel whenever thers a request for "su - " or a sudo to the local user, that would also end up calling the Kerbros service.. and since it runs so frequently on all the hosts.. they would be choking the IPA master / replica with so many requests.. Please correct me If I am wrong in the above assumption. Going by the above logic.. I have added filter_users section with these users in the sssd.conf . Hopefully I would see a drop in the number of requests On Mon, Jan 23, 2017 at 11:27 PM, Robbie Harwood <rharw...@redhat.com> wrote: > Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes: > > > one more question I was curious is.. when does the krb5kdc.log get > entries > > . .. I mean is it only when someone makes an attempt to login to a server > > that the log file krb5kdc.log on the IPA master gets updated or there > are > > other scenarios as well > > It's controlled by /etc/kdc.conf ; take a look at the "[logging]" section > in > `man 5 kdc.conf` for more information. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
thanks for the inputs.. one more question I was curious is.. when does the krb5kdc.log get entries . .. I mean is it only when someone makes an attempt to login to a server that the log file krb5kdc.log on the IPA master gets updated or there are other scenarios as well Thanks Rakesh On Fri, Jan 20, 2017 at 3:09 AM, Robbie Harwood <rharw...@redhat.com> wrote: > Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes: > > >> Great, glad it's fixed! Are these VMs? If not, you may wish to > >> (re?)configure automatic syncing. > > > > yes these are AWS instances. How do I reconfigure auto syncing . Is > > there a documentation I can follow. > > During install of the IPA server, it will set up an NTP server (unless > you ask it not to). During enrollment of each IPA client, it will > configure NTP against that server (unless you ask it not to). Disabling > it is the -N flag in both cases. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa replica info to clents: guidance
thanks Matrix.. I will add this option to my config params Regards, Rakesh On Sat, Jan 21, 2017 at 7:17 PM, Matrix <matrix...@qq.com> wrote: > Hi, Rakesh > > Try 'ipa-client-install' with this option '--fixed-primary'. with it, > '_srv_' will disappeared > > From man page: >--fixed-primary > Configure SSSD to use a fixed server as the primary IPA > server. The default is to > use DNS SRV records to determine the primary server to use > and fall back to the > server the client is enrolled with. When used in > conjunction with --server then no > _srv_ value is set in the ipa_server option in sssd.conf. > > Matrix > ------ Original -- > *From: * "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>; > *Date: * Sat, Jan 21, 2017 10:09 PM > *To: * "Matrix"<matrix...@qq.com>; > *Cc: * "freeipa-users"<freeipa-users@redhat.com>; > *Subject: * Re: [Freeipa-users] Freeipa replica info to clents: guidance > > Thanks Matrix.. for the inputs.. > > > Firstly, '_srv_' means clients will find out which servers will be > connected with by dns srv records. In your explanation, DNS did not > configure in your env. > > After running the ipa-client, the _srv_ was automatically added . The > configs options I passed for configuring the host as a IPA client is > > ipa-client-install --domain=mydomain.com --server=ipa-master-int. > mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir > --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U > > > While configuring IPA server , I did not pass the setup-dns options.( > that avoids setting up the dns server I assume ) > > > ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P > mypass -a mypass --hostname=ipa-master-int.mydomain.com -N -U > > So, I did not explicitly specify the _srv_ options. However, this has been > working fine till now. > > > > Secondly, 'replica' key words ? I can not find it from man pages of > sssd-ipa. is it really working fine? > sorry that was a typo from my side . > Its actually > ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com. > > > So, I suggested to configure it in this way: > > ipa_server = > > ipa_backup_server = > > > For another half clients, > > ipa_server = > > ipa_backup_server = > > I will try this out.. probably I can safely leave out _srv_ > > Thanks > Rakesh > > On Sat, Jan 21, 2017 at 6:10 PM, Matrix <matrix...@qq.com> wrote: > >> For my understanding, there is something wrong with your configuration >> >> >> ipa_server = _srv_, ipa-master-mydomain.com, repilca >> ipa-replica-mydomain.com >> >> Firstly, '_srv_' means clients will find out which servers will be >> connected with by dns srv records. In your explanation, DNS did not >> configure in your env. >> >> Secondly, 'replica' key words ? I can not find it from man pages of >> sssd-ipa. is it really working fine? >> >> >>Also, can I define priority based on the order in which the IPA servers >> are defined in >> >>ipa_server = _srv_ ,, >> >> your understanding is correct. server priority is based on sequence in >> conf file. There is a problem for this configuration. Once 'ipa1' failed, >> all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was >> back, all clients will be sticky on 'ipa2' >> >> So, I suggested to configure it in this way: >> ipa_server = >> ipa_backup_server = >> >> For another half clients, >> ipa_server = >> ipa_backup_server = >> >> Matrix >> >> -- Original -- >> *From: * "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>; >> *Date: * Sat, Jan 21, 2017 08:25 PM >> *To: * "freeipa-users"<freeipa-users@redhat.com>; >> *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance >> >> Hi, >> >> My Freeipa setup is on AWS ec2 instances and has been working fine with >> just one master for a while now. >> >> I am now trying to setup replica servers which, I was able to and the >> replication between both masters go fine. >> >> So, I have a master serer ipa-master-mydomain.com and repilca >> ipa-replica-mydomain.com >> >> I am not using DNS and rely on AWS for DNS resolution instead. >> >> My question is , how do I tell clients about the new replica server . >> >> I tried an ent
Re: [Freeipa-users] Freeipa replica info to clents: guidance
Thanks Matrix.. for the inputs.. > Firstly, '_srv_' means clients will find out which servers will be connected with by dns srv records. In your explanation, DNS did not configure in your env. After running the ipa-client, the _srv_ was automatically added . The configs options I passed for configuring the host as a IPA client is ipa-client-install --domain=mydomain.com --server= ipa-master-int.mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U While configuring IPA server , I did not pass the setup-dns options.( that avoids setting up the dns server I assume ) ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P mypass -a mypass --hostname=ipa-master-int.mydomain.com -N -U So, I did not explicitly specify the _srv_ options. However, this has been working fine till now. > Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. is it really working fine? sorry that was a typo from my side . Its actually ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com. > So, I suggested to configure it in this way: > ipa_server = > ipa_backup_server = > For another half clients, > ipa_server = > ipa_backup_server = I will try this out.. probably I can safely leave out _srv_ Thanks Rakesh On Sat, Jan 21, 2017 at 6:10 PM, Matrix <matrix...@qq.com> wrote: > For my understanding, there is something wrong with your configuration > > >> ipa_server = _srv_, ipa-master-mydomain.com, repilca > ipa-replica-mydomain.com > > Firstly, '_srv_' means clients will find out which servers will be > connected with by dns srv records. In your explanation, DNS did not > configure in your env. > > Secondly, 'replica' key words ? I can not find it from man pages of > sssd-ipa. is it really working fine? > > >>Also, can I define priority based on the order in which the IPA servers > are defined in > >>ipa_server = _srv_ ,, > > your understanding is correct. server priority is based on sequence in > conf file. There is a problem for this configuration. Once 'ipa1' failed, > all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was > back, all clients will be sticky on 'ipa2' > > So, I suggested to configure it in this way: > ipa_server = > ipa_backup_server = > > For another half clients, > ipa_server = > ipa_backup_server = > > Matrix > > -- Original -- > *From: * "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>; > *Date: * Sat, Jan 21, 2017 08:25 PM > *To: * "freeipa-users"<freeipa-users@redhat.com>; > *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance > > Hi, > > My Freeipa setup is on AWS ec2 instances and has been working fine with > just one master for a while now. > > I am now trying to setup replica servers which, I was able to and the > replication between both masters go fine. > > So, I have a master serer ipa-master-mydomain.com and repilca > ipa-replica-mydomain.com > > I am not using DNS and rely on AWS for DNS resolution instead. > > My question is , how do I tell clients about the new replica server . > > I tried an entry in the sssd.conf domain section of the clients > > > id_provider = ipa > auth_provider = ipa > ipa_server = _srv_, ipa-master-mydomain.com, repilca > ipa-replica-mydomain.com > > > This approach works fine and clients reach out to the replica as a > failover. However, wanted to verify if this is the correct way. > > Also, can I define priority based on the order in which the IPA servers > are defined in > ipa_server = _srv_ ,, > > If the above assumption is right, I could have half of my clients connect > to master always and rest to the replica that way balancing the load. > > > Thanks > Rakesh > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Freeipa replica info to clents: guidance
Hi, My Freeipa setup is on AWS ec2 instances and has been working fine with just one master for a while now. I am now trying to setup replica servers which, I was able to and the replication between both masters go fine. So, I have a master serer ipa-master-mydomain.com and repilca ipa-replica-mydomain.com I am not using DNS and rely on AWS for DNS resolution instead. My question is , how do I tell clients about the new replica server . I tried an entry in the sssd.conf domain section of the clients id_provider = ipa auth_provider = ipa ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com This approach works fine and clients reach out to the replica as a failover. However, wanted to verify if this is the correct way. Also, can I define priority based on the order in which the IPA servers are defined in ipa_server = _srv_ ,, If the above assumption is right, I could have half of my clients connect to master always and rest to the replica that way balancing the load. Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
Hi There, Sorry could not get back on this earlier, > Great, glad it's fixed! Are these VMs? If not, you may wish to > (re?)configure automatic syncing. yes these are AWS instances. How do I reconfigure auto syncing . Is there a documentation I can follow. Sorry, haven't done this before and not much info on that part Apart from this , I also have a correlation between the "Clock skew" issue and an earlier issue that I posted in another thread. Basically , noticed that whenver I see clock skew errors, I see a lot of connections in SYNC_RECV state. this is the list of SYNC_RECV connections tcp0 0 10.0.8.45:88 10.0.30.49:42695SYN_RECV tcp0 0 10.0.8.45:88 10.0.15.72:44991SYN_RECV tcp0 0 10.0.8.45:88 10.0.2.82:53265 SYN_RECV tcp0 0 10.0.8.45:88 10.0.31.253:57682 SYN_RECV tcp0 0 10.0.8.45:88 10.0.34.208:53488 SYN_RECV tcp0 0 10.0.8.45:88 10.0.27.17:47245SYN_RECV tcp0 0 10.0.8.45:88 10.0.17.53:54504SYN_RECV tcp0 0 10.0.8.45:88 10.0.24.78:47796SYN_RECV tcp0 0 10.0.8.45:88 10.0.4.246:33607SYN_RECV tcp0 0 10.0.8.45:88 10.0.27.91:34190SYN_RECV tcp0 0 10.0.8.45:88 10.0.27.248:38012 SYN_RECV tcp0 0 10.0.8.45:88 10.0.15.139:51319 SYN_RECV tcp0 0 10.0.8.45:88 10.0.15.175:41188 SYN_RECV Thanks, Rakesh On Tue, Jan 10, 2017 at 12:48 AM, Robbie Harwood <rharw...@redhat.com> wrote: > Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes: > > > There were about 1500 hosts that were alerting for "clock skew" and the > > issue went away only after I did a resync using ntpdate on all those > hosts > > Great, glad it's fixed! Are these VMs? If not, you may wish to > (re?)configure automatic syncing. > > > Is it possible that so many higher number of minor offsets adds up and > > causes it. Coz from the individual offset it looks much below the 5min > limit > > Not as such, if I understand you correctly? This should only be a > problem between any two machines that need to communicate (including the > freeipa KDC). > > > Or, is there a way to tell whats the offset limit its actually looking > for. > > 5 minutes almost certainly. The parameter to configure it is > "clockskew" in the config files, but I don't think IPA touches that. > > Hope that helps, > --Robbie > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
yes on the IPA server as well.. the offset isn't that high remote refid st t when poll reach delay offset jitter == *ip-10-10-1-150.e 132.163.4.1012 u 119 128 3770.431 -0.279 0.348 So, my NTP server, the ipa client and the IPA master.. all seems to not have a high offset or a jitter. There were about 1500 hosts that were alerting for "clock skew" and the issue went away only after I did a resync using ntpdate on all those hosts Is it possible that so many higher number of minor offsets adds up and causes it. Coz from the individual offset it looks much below the 5min limit Or, is there a way to tell whats the offset limit its actually looking for. Thanks, Rakesh On Mon, Jan 9, 2017 at 1:42 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote: > > Hi, > > > > I am using a Freeipa 4.2.0 server. > > > > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. > And > > when this happens, usually logins or new ipa-cleint-install fails. > > > > When I checked on one of the hosts for which the clock skew was reported, > > > > #> ntpq -p > > remote refid st t when poll reach delay offset > > jitter > > > == > > *ip-10-10-1-150.e 171.66.97.1262 u 869 1024 3770.4480.047 > > 0.142 > > In general, 5 minutes is OK at least. But are you sure the server is also > in sync or just the client against an NTP server (iow, are you sure you > are checking the difference between a client and the KDC as well?) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberos Clock Skew too great
Hi, I am using a Freeipa 4.2.0 server. I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. And when this happens, usually logins or new ipa-cleint-install fails. When I checked on one of the hosts for which the clock skew was reported, #> ntpq -p remote refid st t when poll reach delay offset jitter == *ip-10-10-1-150.e 171.66.97.1262 u 869 1024 3770.4480.047 0.142 Does the above o/p looks fine interms of the ntp sync Whats the max sync time difference thats allowed for a client. Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Server unwilling to perform error
Hi There, I am running Freeipa version 4.2.0 I have been noticing that frequently I get this error "ipa: ERROR: Server is unwilling to perform: Entry permanently locked." when I try to run any ipa commands like ipa user-find or user-status Finally i see that my admin account has been locked and I need to unlock it manually I dont see anything in the krb5kdc.log. Are there any other specific logs that can give me pointers as to what could be going wrong as I see this almost daily Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] kinit: admin account getting locked out frequently
Hi All , In my FreeIPA setup, I frequently seeing this error "kinit: Clients credentials have been revoked while getting initial credentials" while i try "kinit admin" I have tried decreasing the "--failinterval" and increasing the "--maxfail" values However, I still continue to see this error and it does not get unlocked. I have to manually unlock using "modprinc -unlock ad...@xyz.com" In the history on the IPA admin server.. I do not see any instances of "kinit admin" being run. Is there anything else that I should check to trace the cause of this. Thanks. Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd
Thanks Robbie for the inputs.. the load should not have been high as I have around 4000 clients with 160 users which should be manageable However, I saw a lot of clock skew too great errors in my krb5kdc.log... however I haven't been able to verify if those were genuine... Can too many clock skew errors take down the kerberos service.. On Mon, Sep 19, 2016 at 10:15 PM, Robbie Harwood <rharw...@redhat.com> wrote: > Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes: > > > On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan > > <rakesh.rajasekha...@gmail.com <mailto:rakesh.rajasekha...@gmail.com>> > > wrote: > > > > sorry I guess I did not put the question correctly > > > > I wanted to know .. like we have the ListenBacklog for apache to > > basically define the number of connections it can handle.. do we > > have some thing similar for our krb5kdc service.. as the SYN floodin > > at 88 looks like krb5kdc service is not able to handle sudden spurt > > in connections or the number of connections are more than it could > > handle.. > > > > So, would be great if I could know how many connection it can > > support at any given time ..most of the times I see this error while > > i add clients to IPA master.. so if thers a known limit , I could > > first check netstat to see how many connections I have at any point > > and if its below the limit only then setup ipa-client-install > > We intentionally do not have such a parameter in krb5. We call > listen(5) internally, but please note this is probably not the parameter > you want to be able to tune. > > The listen() backlog is the number of connections that are waiting to be > accept()ed by the process. They sit in the kernel, not receiving > SYNACK. This number does not count connections that the process - here > krb5kdc - has accept()ed and is currently processing. > > If you're truly seeing connections faster than they can be accept()ed, > you have a load problem that tuning this parameter likely won't fix. > You should probably configure replicas: krb5 will fall back if the > connection is refused from one kdc to the next configured one. This > will result in faster operation for your users than waiting on an > enormous listen() backlog will as well. > > A tunable for the listen value may be added in the future, but is not > available at the present time. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Freeipa 4.2.0 slow response
Hi, I am experiencing a very slow response from freeipa.. the new passwords that I am resetting are never working for the users and its takes a lot of time for an existing user to login around 25 secs. doing a kinit admin itself is very slowKRB5_TRACE=/dev/stderr kinit admin [11298] 1473702491.60880: Getting initial credentials for ad...@xyz.com [11298] 1473702491.62981: Sending request (167 bytes) to XYZ.COM [11298] 1473702491.63119: Initiating TCP connection to stream 10.1.3.35:88 [11298] 1473702491.63359: Sending TCP request to stream 10.1.3.35:88 [11298] 1473702493.797835: Received answer (341 bytes) from stream 10.1.3.35:88 [11298] 1473702493.797848: Terminating TCP connection to stream 10.1.3.35:88 [11298] 1473702493.797911: Response was from master KDC [11298] 1473702493.797956: Received error from KDC: -1765328359/Additional pre-authentication required [11298] 1473702493.797993: Processing preauth types: 136, 19, 2, 133 [11298] 1473702493.798005: Selected etype info: etype aes256-cts, salt "V@Cbu147E#1;R0WD", params "" [11298] 1473702493.798009: Received cookie: MIT Password for ad...@xyz.com: [11298] 1473702498.190064: AS key obtained for encrypted timestamp: aes256-cts/2C9D [11298] 1473702498.190109: Encrypted timestamp (for 1473702498.184527): plain 301AA011180F32303136303931323137343831385AA105020302D0CF, encrypted 25FC8D37EFB6B7837C8D5C6649DFB9972010D40EE29D1222FBA45CAA98428E42C7FCC9B7FE881A04BD3390A6A9EDE9D2D93729FDF3E47B6D [11298] 1473702498.190129: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [11298] 1473702498.190133: Produced preauth for next request: 133, 2 [11298] 1473702498.190148: Sending request (261 bytes) to XYZ.COM [11298] 1473702498.190246: Initiating TCP connection to stream 10.1.3.35:88 [11298] 1473702499.191933: Sending initial UDP request to dgram 10.1.3.35:88 [11298] 1473702502.195157: Sending retry UDP request to dgram 10.1.3.35:88 [11298] 1473702507.200405: Sending retry UDP request to dgram 10.1.3.35:88 [11298] 1473702513.226371: Sending TCP request to stream 10.1.3.35:88 [11298] 1473702515.797243: Received answer (730 bytes) from stream 10.1.3.35:88 [11298] 1473702515.797271: Terminating TCP connection to stream 10.1.3.35:88 [11298] 1473702515.797326: Response was from master KDC [11298] 1473702515.797353: Processing preauth types: 19 [11298] 1473702515.797360: Selected etype info: etype aes256-cts, salt "V@Cbu147E#1;R0WD", params "" [11298] 1473702515.797394: Produced preauth for next request: (empty) [11298] 1473702515.797401: AS key determined by preauth: aes256-cts/2C9D [11298] 1473702515.797445: Decrypted AS reply; session key is: aes256-cts/702E [11298] 1473702515.797460: FAST negotiation: available [11298] 1473702515.797478: Initializing KEYRING:persistent:0:0 with default princ ad...@xyz.com [11298] 1473702515.797534: Storing ad...@xyz.com -> krbtgt/xyz@xyz.com in KEYRING:persistent:0:0 [11298] 1473702515.797572: Storing config in KEYRING:persistent:0:0 for krbtgt/xyz@xyz.com: fast_avail: yes [11298] 1473702515.797585: Storing ad...@xyz.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM\@XYZ.COM@X-CACHECONF: in KEYRING:persistent:0:0 [11298] 1473702515.797631: Storing config in KEYRING:persistent:0:0 for krbtgt/xyz@xyz.com: pa_type: 2 [11298] 1473702515.797647: Storing ad...@xyz.com -> krb5_ccache_conf_data/pa_type/krbtgt\/XYZ.COM\@XYZ.COM@X-CACHECONF: in KEYRING:persistent:0:0 are any pointers as to what could be causing this slowness Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Increase ListenBacklog for httpd
can anyone provide some insight on this please.. I have been trying to debug a hang issues for past few weeks.. and finally foudn that it starts with this issue when I see a lot of connections in SYN_RECV state. as it is happening now netstat shows around 14-16 connectiosn in SYNC_RECV If I could get some inputs on this , I could have some workaround to mitigate the issues Thanks On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > sorry I guess I did not put the question correctly > > I wanted to know .. like we have the ListenBacklog for apache to basically > define the number of connections it can handle.. do we have some thing > similar for our krb5kdc service.. as the SYN floodin at 88 looks like > krb5kdc service is not able to handle sudden spurt in connections or the > number of connections are more than it could handle.. > > So, would be great if I could know how many connection it can support at > any given time ..most of the times I see this error while i add clients to > IPA master.. so if thers a known limit , I could first check netstat to see > how many connections I have at any point and if its below the limit only > then setup ipa-client-install > > Thanks, > > Rakesh > > On Sun, Sep 11, 2016 at 11:10 PM, Rakesh Rajasekharan < > rakesh.rajasekha...@gmail.com> wrote: > >> Hi, >> >> In my Freeipa setup, I frequently see this message >> >> request_sock_TCP: Possible SYN flooding on port 88. Sending cookies >> >> >> Is there a way to increase the ListenBacklog so that I can workaround >> this error as suggested i this doc >> https://access.redhat.com/solutions/30453 >> >> Thanks, >> Rakesh >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Increase ListenBacklog for httpd
sorry I guess I did not put the question correctly I wanted to know .. like we have the ListenBacklog for apache to basically define the number of connections it can handle.. do we have some thing similar for our krb5kdc service.. as the SYN floodin at 88 looks like krb5kdc service is not able to handle sudden spurt in connections or the number of connections are more than it could handle.. So, would be great if I could know how many connection it can support at any given time ..most of the times I see this error while i add clients to IPA master.. so if thers a known limit , I could first check netstat to see how many connections I have at any point and if its below the limit only then setup ipa-client-install Thanks, Rakesh On Sun, Sep 11, 2016 at 11:10 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > Hi, > > In my Freeipa setup, I frequently see this message > > request_sock_TCP: Possible SYN flooding on port 88. Sending cookies > > > Is there a way to increase the ListenBacklog so that I can workaround this > error as suggested i this doc > https://access.redhat.com/solutions/30453 > > Thanks, > Rakesh > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Increase ListenBacklog for httpd
Hi, In my Freeipa setup, I frequently see this message request_sock_TCP: Possible SYN flooding on port 88. Sending cookies Is there a way to increase the ListenBacklog so that I can workaround this error as suggested i this doc https://access.redhat.com/solutions/30453 Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
Hi Thierry, I was getting the hang issue while running ipa-client-install simultaneously on few clients.. However, today, I am not able to replicate that. I could not get a gdb . But i will try getting that the next time I face this issue. The CPU does not stay high.. it just momentarily touches a high value and then drops down to around 2-7% One question I have is , is it ok to set it nsslapd-threadnumber to a very high value . I have around 4000 clients and with nsslapd-maxthreadsperconn set to 5..So, can I set nsslapd-threadnumber to around 25000. Thanks On Mon, Sep 5, 2016 at 1:03 PM, thierry bordaz <tbor...@redhat.com> wrote: > > Hi Rakesh, > > Were you able to get a pstack or full stack with gdb ( > http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes) when > the server hangs ? > > If it happens with 500 threads as well as with 30, using 30 threads is a > better choice to debug this issue. > I will try to reproduce using 150 parallel 'ipa user-find p-testipa' > commands > > Something I am unsure is if the CPU consumption stays high (you mentioned > 340% CPU usage) as long as the hang happens or if after a suddent shot up > to 340% (that marks the beginning of the hang) it drops and stay hanging ? > > thanks > thierry > > On 09/04/2016 08:40 PM, Rakesh Rajasekharan wrote: > > starce on the slapd process actually had this in the output.. > FUTEX_WAIT_PRIVATE > > and checking for the number of threads slapd had.. there were 5015 threads > > ps -efL|grep slapd|wc -l > 5015 > > strace on most of the threads gave this output > > strace -p 67411 > Process 67411 attached > futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 1, NULL) = -1 EAGAIN (Resource > temporarily unavailable) > futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 2, NULL^CProcess 67411 detached > > > > > > On Sun, Sep 4, 2016 at 5:34 PM, Rakesh Rajasekharan < > rakesh.rajasekha...@gmail.com> wrote: > >> I have again got the issue of IPA hanging.. The issue came up when i >> tried to run ipa-client-isntall on 142 clients simultaneously >> >> >> None of the IPA commands are responding, and I see this error >> >> ipa user-find p-testipa >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information (KDC >> returned error string: PROCESS_TGS) >> >> KRB5_TRACE=/dev/stdout kinit admin >> [41178] 1472984115.233214: Getting initial credentials for ad...@xyz.com >> [41178] 1472984115.235257: Sending request (167 bytes) to XYZ.COM >> [41178] 1472984115.235419: Initiating TCP connection to stream >> 10.1.3.36:88 >> [41178] 1472984115.235685: Sending TCP request to stream 10.1.3.36:88 >> [41178] 1472984120.238914: Received answer (174 bytes) from stream >> 10.1.3.36:88 >> [41178] 1472984120.238925: Terminating TCP connection to stream >> 10.1.3.36:88 >> [41178] 1472984120.238993: Response was from master KDC >> [41 >> >> >> Running an ldapsearch to see the db.. does not give any results and just >> hangs there >> >> ldapsearch -x -D 'cn=Directory Manager' -W -s one -b >> 'cn=kerberos,dc=xyz,dc=com' >> Enter LDAP Password: >> >> even an ldapsearch -x does not respond >> At this point, am sure that slapd is the one causing issues >> >> Running an strace against the hung slapd itself seems to get stuck does >> not proceed after saying "attaching to process" >> >> From some others posts I read Thierry suggesting to increase the >> nsslapd-threadnumber value >> >> It was set to 30, I think that might be too low. >> >> I have raised it to 500 >> >> Now after restarting the service .. ldapsearch starts responding. >> But running the test to add a sudden high number of clients again left >> ns-slapd to hung state >> >> When i attempted adding the clients.. the ns-slapd cpu usage shot up to >> 340% and after that ns-slapd stopped responding >> >> So now, atleast I know what might be causing the issue and I can now >> easily reproduce it. >> >> Is there a way I can make ns-slapd handle a sudden bump in incoming >> request for ipa-client-install >> >> Thanks >> Rakesh >> >> >> >> >> >> >> On Mon, Aug 29, 2016 at 11:18 PM, Rich Megginson < <rmegg...@redhat.com> >> rmegg...@redhat.com> wrote: >> >>> On 08/29/2016 10:53 AM, Rakesh Rajasekharan wrote: >>> >>> Hi Thierry, >>> >>> My machine has 30GB RAM ..and 389-ds version is 1.3.4 >>> >>>
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
starce on the slapd process actually had this in the output.. FUTEX_WAIT_PRIVATE and checking for the number of threads slapd had.. there were 5015 threads ps -efL|grep slapd|wc -l 5015 strace on most of the threads gave this output strace -p 67411 Process 67411 attached futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 1, NULL) = -1 EAGAIN (Resource temporarily unavailable) futex(0x7f3f0226b41c, FUTEX_WAIT_PRIVATE, 2, NULL^CProcess 67411 detached On Sun, Sep 4, 2016 at 5:34 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > I have again got the issue of IPA hanging.. The issue came up when i tried > to run ipa-client-isntall on 142 clients simultaneously > > > None of the IPA commands are responding, and I see this error > > ipa user-find p-testipa > ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (KDC > returned error string: PROCESS_TGS) > > KRB5_TRACE=/dev/stdout kinit admin > [41178] 1472984115.233214: Getting initial credentials for ad...@xyz.com > [41178] 1472984115.235257: Sending request (167 bytes) to XYZ.COM > [41178] 1472984115.235419: Initiating TCP connection to stream > 10.1.3.36:88 > [41178] 1472984115.235685: Sending TCP request to stream 10.1.3.36:88 > [41178] 1472984120.238914: Received answer (174 bytes) from stream > 10.1.3.36:88 > [41178] 1472984120.238925: Terminating TCP connection to stream > 10.1.3.36:88 > [41178] 1472984120.238993: Response was from master KDC > [41 > > > Running an ldapsearch to see the db.. does not give any results and just > hangs there > > ldapsearch -x -D 'cn=Directory Manager' -W -s one -b > 'cn=kerberos,dc=xyz,dc=com' > Enter LDAP Password: > > even an ldapsearch -x does not respond > At this point, am sure that slapd is the one causing issues > > Running an strace against the hung slapd itself seems to get stuck does > not proceed after saying "attaching to process" > > From some others posts I read Thierry suggesting to increase the > nsslapd-threadnumber value > > It was set to 30, I think that might be too low. > > I have raised it to 500 > > Now after restarting the service .. ldapsearch starts responding. > But running the test to add a sudden high number of clients again left > ns-slapd to hung state > > When i attempted adding the clients.. the ns-slapd cpu usage shot up to > 340% and after that ns-slapd stopped responding > > So now, atleast I know what might be causing the issue and I can now > easily reproduce it. > > Is there a way I can make ns-slapd handle a sudden bump in incoming > request for ipa-client-install > > Thanks > Rakesh > > > > > > > On Mon, Aug 29, 2016 at 11:18 PM, Rich Megginson <rmegg...@redhat.com> > wrote: > >> On 08/29/2016 10:53 AM, Rakesh Rajasekharan wrote: >> >> Hi Thierry, >> >> My machine has 30GB RAM ..and 389-ds version is 1.3.4 >> >> ldapsearch shows the values for nsslapd-cachememsize updated to 200MB. >> >> ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -w 'mypassword' >> -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config'|grep >> nsslapd-cachememsize >> nsslapd-cachememsize: 209715200 >> >> >> So, it seems to have updated though seeing that warning(WARNING: ipaca: >> entry cache size 10485760B is less than db size 11599872B) in the log >> confuses me a bit. >> >> Thers one more entry that I found from the ldapsearch to be bit low >> >> nsslapd-dncachememsize: 10485760 >> maxdncachesize: 10485760 >> >> Should I update these as well to a higher value >> >> At the time when the issue happened, the memory usage as well as the >> overall load of the system was very low . >> I will try reproducing the issue atleast in my QA env..probably by trying >> to mock simultaneous parallel logins to a large number of hosts >> >> >> To monitor your cache sizes, please use the dbmon.sh tool provided with >> your distro. If that is not available with your particular distro, see >> https://github.com/richm/scripts/wiki/dbmon.sh >> >> >> >> >> thanks >> Rakesh >> >> >> >> >> On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com> >> wrote: >> >>> Hi Rakesh, >>> >>> Those tuning may depend on the memory available on your machine. >>> nsslapd-cachememsize allows the entry cache to consume up to 200Mb but >>> its memory footprint is known to go above. >>> 200Mb both looks pretty good to me. How large is your machin
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
I have again got the issue of IPA hanging.. The issue came up when i tried to run ipa-client-isntall on 142 clients simultaneously None of the IPA commands are responding, and I see this error ipa user-find p-testipa ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: PROCESS_TGS) KRB5_TRACE=/dev/stdout kinit admin [41178] 1472984115.233214: Getting initial credentials for ad...@xyz.com [41178] 1472984115.235257: Sending request (167 bytes) to XYZ.COM [41178] 1472984115.235419: Initiating TCP connection to stream 10.1.3.36:88 [41178] 1472984115.235685: Sending TCP request to stream 10.1.3.36:88 [41178] 1472984120.238914: Received answer (174 bytes) from stream 10.1.3.36:88 [41178] 1472984120.238925: Terminating TCP connection to stream 10.1.3.36:88 [41178] 1472984120.238993: Response was from master KDC [41 Running an ldapsearch to see the db.. does not give any results and just hangs there ldapsearch -x -D 'cn=Directory Manager' -W -s one -b 'cn=kerberos,dc=xyz,dc=com' Enter LDAP Password: even an ldapsearch -x does not respond At this point, am sure that slapd is the one causing issues Running an strace against the hung slapd itself seems to get stuck does not proceed after saying "attaching to process" >From some others posts I read Thierry suggesting to increase the nsslapd-threadnumber value It was set to 30, I think that might be too low. I have raised it to 500 Now after restarting the service .. ldapsearch starts responding. But running the test to add a sudden high number of clients again left ns-slapd to hung state When i attempted adding the clients.. the ns-slapd cpu usage shot up to 340% and after that ns-slapd stopped responding So now, atleast I know what might be causing the issue and I can now easily reproduce it. Is there a way I can make ns-slapd handle a sudden bump in incoming request for ipa-client-install Thanks Rakesh On Mon, Aug 29, 2016 at 11:18 PM, Rich Megginson <rmegg...@redhat.com> wrote: > On 08/29/2016 10:53 AM, Rakesh Rajasekharan wrote: > > Hi Thierry, > > My machine has 30GB RAM ..and 389-ds version is 1.3.4 > > ldapsearch shows the values for nsslapd-cachememsize updated to 200MB. > > ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -w 'mypassword' > -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config'|grep > nsslapd-cachememsize > nsslapd-cachememsize: 209715200 > > > So, it seems to have updated though seeing that warning(WARNING: ipaca: > entry cache size 10485760B is less than db size 11599872B) in the log > confuses me a bit. > > Thers one more entry that I found from the ldapsearch to be bit low > > nsslapd-dncachememsize: 10485760 > maxdncachesize: 10485760 > > Should I update these as well to a higher value > > At the time when the issue happened, the memory usage as well as the > overall load of the system was very low . > I will try reproducing the issue atleast in my QA env..probably by trying > to mock simultaneous parallel logins to a large number of hosts > > > To monitor your cache sizes, please use the dbmon.sh tool provided with > your distro. If that is not available with your particular distro, see > https://github.com/richm/scripts/wiki/dbmon.sh > > > > > thanks > Rakesh > > > > > On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com> > wrote: > >> Hi Rakesh, >> >> Those tuning may depend on the memory available on your machine. >> nsslapd-cachememsize allows the entry cache to consume up to 200Mb but >> its memory footprint is known to go above. >> 200Mb both looks pretty good to me. How large is your machine ? What is >> your version of 389-ds ? >> >> Those warnings do not change your settings. It just raise that entry >> cache of 'ipaca' and 'retrocl' are small but it is fine. The size of the >> entry cache is important mostly in userRoot. >> You may double check the actual values, after restart, with ldapsearch on >> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' and 'cn=config,cn=ldbm >> database,cn=plugins,cn=config'. >> >> A step is to know what will be response time of DS to know if it is >> responsible of the hang or not. >> The logs and possibly pstack during those intermittent hangs will help to >> determine that. >> >> regards >> thierry >> >> >> >> >> >> On 08/29/2016 04:25 PM, Rakesh Rajasekharan wrote: >> >> I tried increasing the nsslapd-dbcachesize and nsslapd-cachememsize in my >> QA envs to 200MB. >> >> However, in my log files, I still see this message >> [29/Aug/2016:04:34:37 +]
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
Hi Thierry, My machine has 30GB RAM ..and 389-ds version is 1.3.4 ldapsearch shows the values for nsslapd-cachememsize updated to 200MB. ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -w 'mypassword' -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config'|grep nsslapd-cachememsize nsslapd-cachememsize: 209715200 So, it seems to have updated though seeing that warning(WARNING: ipaca: entry cache size 10485760B is less than db size 11599872B) in the log confuses me a bit. Thers one more entry that I found from the ldapsearch to be bit low nsslapd-dncachememsize: 10485760 maxdncachesize: 10485760 Should I update these as well to a higher value At the time when the issue happened, the memory usage as well as the overall load of the system was very low . I will try reproducing the issue atleast in my QA env..probably by trying to mock simultaneous parallel logins to a large number of hosts thanks Rakesh On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com> wrote: > Hi Rakesh, > > Those tuning may depend on the memory available on your machine. > nsslapd-cachememsize allows the entry cache to consume up to 200Mb but its > memory footprint is known to go above. > 200Mb both looks pretty good to me. How large is your machine ? What is > your version of 389-ds ? > > Those warnings do not change your settings. It just raise that entry cache > of 'ipaca' and 'retrocl' are small but it is fine. The size of the entry > cache is important mostly in userRoot. > You may double check the actual values, after restart, with ldapsearch on > 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' and 'cn=config,cn=ldbm > database,cn=plugins,cn=config'. > > A step is to know what will be response time of DS to know if it is > responsible of the hang or not. > The logs and possibly pstack during those intermittent hangs will help to > determine that. > > regards > thierry > > > > > > On 08/29/2016 04:25 PM, Rakesh Rajasekharan wrote: > > I tried increasing the nsslapd-dbcachesize and nsslapd-cachememsize in my > QA envs to 200MB. > > However, in my log files, I still see this message > [29/Aug/2016:04:34:37 +] - WARNING: ipaca: entry cache size 10485760B > is less than db size 11599872B; We recommend to increase the entry cache > size nsslapd-cachememsize. > [29/Aug/2016:04:34:37 +] - WARNING: changelog: entry cache size > 2097152B is less than db size 441647104B; We recommend to increase the > entry cache size nsslapd-cachememsize. > > these are my ldif files that i used to modify the values > modify entry cache size > cat modify-cache-mem-size.ldif > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > changetype: modify > replace: nsslapd-cachememsize > nsslapd-cachememsize: 209715200 > > modify db cache size > cat modfy-db-cache-size.ldif > dn: cn=config,cn=ldbm database,cn=plugins,cn=config > changetype: modify > replace: nsslapd-dbcachesize > nsslapd-dbcachesize: 209715200 > > After modifying , i restarted IPA services > > Is there anything else that I need to take care of as the logs suggest > its still not getting the updated values > > Thanks > Rakesh > > On Mon, Aug 29, 2016 at 6:07 PM, Rakesh Rajasekharan < > rakesh.rajasekha...@gmail.com> wrote: > >> Hi Thierry, >> >> Coz of the issues we had to revert back to earlier running openldap in >> production. >> >> I have now done a few TCP related changes in sysctl.conf and have also >> increased the nsslapd-dbcachesize and nsslapd-cachememsize to 200MB >> >> I will again start migrating hosts back to IPA and see if I face the >> earlier issue. >> >> I will update back once I have something >> >> >> Thanks, >> Rakesh >> >> >> >> On Thu, Aug 25, 2016 at 2:17 PM, thierry bordaz < <tbor...@redhat.com> >> tbor...@redhat.com> wrote: >> >>> >>> >>> On 08/25/2016 10:15 AM, Rakesh Rajasekharan wrote: >>> >>> All of the troubleshooting seems fine. >>> >>> >>> However, Running libconv.pl gives me this output >>> >>> - Recommendations - >>> >>> 1. You have unindexed components, this can be caused from a search on >>> an unindexed attribute, or your returned results exceeded the >>> allidsthreshold. Unindexed components are not recommended. To refuse >>> unindexed searches, switch 'nsslapd-require-index' to 'on' under your >>> database entry (e.g. cn=UserRoot,cn=ldbm database,cn=plugins,cn=config). >>> >>> 2. You have a significant difference between binds and unbinds. You >>> may want to
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
Hi Thierry, Coz of the issues we had to revert back to earlier running openldap in production. I have now done a few TCP related changes in sysctl.conf and have also increased the nsslapd-dbcachesize and nsslapd-cachememsize to 200MB I will again start migrating hosts back to IPA and see if I face the earlier issue. I will update back once I have something Thanks, Rakesh On Thu, Aug 25, 2016 at 2:17 PM, thierry bordaz <tbor...@redhat.com> wrote: > > > On 08/25/2016 10:15 AM, Rakesh Rajasekharan wrote: > > All of the troubleshooting seems fine. > > > However, Running libconv.pl gives me this output > > - Recommendations - > > 1. You have unindexed components, this can be caused from a search on an > unindexed attribute, or your returned results exceeded the > allidsthreshold. Unindexed components are not recommended. To refuse > unindexed searches, switch 'nsslapd-require-index' to 'on' under your > database entry (e.g. cn=UserRoot,cn=ldbm database,cn=plugins,cn=config). > > 2. You have a significant difference between binds and unbinds. You may > want to investigate this difference. > > > I feel, this could be a pointer to things going slow.. and IPA hanging. I > think i now have something that I can try and nail down this issue. > > On a sidenote, I was earlier running openldap and migrated over to > Freeipa, > > Thanks > Rakesh > > > > On Wed, Aug 24, 2016 at 12:38 PM, Petr Spacek <pspa...@redhat.com> wrote: > >> On 23.8.2016 18:44, Rakesh Rajasekharan wrote: >> > I think thers something seriously wrong with my system >> > >> > not able to run any IPA commands >> > >> > klist >> > Ticket cache: KEYRING:persistent:0:0 >> > Default principal: ad...@xyz.com >> > >> > Valid starting Expires Service principal >> > 2016-08-23T16:26:36 2016-08-24T16:26:22 krbtgt/ <xyz@xyz.com> >> xyz@xyz.com >> > >> > >> > [root@prod-ipa-master-1a :~] ipactl status >> > Directory Service: RUNNING >> > krb5kdc Service: RUNNING >> > kadmin Service: RUNNING >> > ipa_memcached Service: RUNNING >> > httpd Service: RUNNING >> > pki-tomcatd Service: RUNNING >> > ipa-otpd Service: RUNNING >> > ipa: INFO: The ipactl command was successful >> > >> > >> > >> > [root@prod-ipa-master :~] ipa user-find p-testuser >> > ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may >> > provide more information', 851968)/("Cannot contact any KDC for realm ' >> > XYZ.COM'", -1765328228) >> > > Hi Rakesh, > > Having a reproducible test case would you rerun the command above. > During its processing you may monitor DS process load (top). If it is > high, you may get some pstacks of it. > Also would you attach the part of DS access logs taken during the command. > > regards > thierry > > > >> >> This is weird because the server seems to be up. >> >> Please follow >> http://www.freeipa.org/page/Troubleshooting#Authentication.2FKerberos >> >> Petr^2 Spacek >> >> > >> > >> > Thanks >> > >> > Rakesh >> > >> > On Tue, Aug 23, 2016 at 10:01 PM, Rakesh Rajasekharan < >> > rakesh.rajasekha...@gmail.com> wrote: >> > >> >> i changed the loggin level to 4 . Modifying nsslapd-accesslog-level >> >> >> >> But, the hang is still there. though I dont see the sigfault now >> >> >> >> >> >> >> >> >> >> On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan < >> >> rakesh.rajasekha...@gmail.com> wrote: >> >> >> >>> My disk was getting filled too fast >> >>> >> >>> logs under /var/log/dirsrv was coming around 5 gb quickly filling up >> >>> >> >>> Is there a way to make the logging less verbose >> >>> >> >>> >> >>> >> >>> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> >> wrote: >> >>> >> >>>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote: >> >>>>> I was able to fix that may be temporarily... when i checked the >> >>>> network.. >> >>>>> there was another process that was running and consuming a lot of >> >>>> network ( >> >>>>> i have no idea who did that. I need to seriously start restricting >> >>>> people
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
All of the troubleshooting seems fine. However, Running libconv.pl gives me this output - Recommendations - 1. You have unindexed components, this can be caused from a search on an unindexed attribute, or your returned results exceeded the allidsthreshold. Unindexed components are not recommended. To refuse unindexed searches, switch 'nsslapd-require-index' to 'on' under your database entry (e.g. cn=UserRoot,cn=ldbm database,cn=plugins,cn=config). 2. You have a significant difference between binds and unbinds. You may want to investigate this difference. I feel, this could be a pointer to things going slow.. and IPA hanging. I think i now have something that I can try and nail down this issue. On a sidenote, I was earlier running openldap and migrated over to Freeipa, Thanks Rakesh On Wed, Aug 24, 2016 at 12:38 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 23.8.2016 18:44, Rakesh Rajasekharan wrote: > > I think thers something seriously wrong with my system > > > > not able to run any IPA commands > > > > klist > > Ticket cache: KEYRING:persistent:0:0 > > Default principal: ad...@xyz.com > > > > Valid starting Expires Service principal > > 2016-08-23T16:26:36 2016-08-24T16:26:22 krbtgt/xyz@xyz.com > > > > > > [root@prod-ipa-master-1a :~] ipactl status > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > ipa_memcached Service: RUNNING > > httpd Service: RUNNING > > pki-tomcatd Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa: INFO: The ipactl command was successful > > > > > > > > [root@prod-ipa-master :~] ipa user-find p-testuser > > ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may > > provide more information', 851968)/("Cannot contact any KDC for realm ' > > XYZ.COM'", -1765328228) > > > > This is weird because the server seems to be up. > > Please follow > http://www.freeipa.org/page/Troubleshooting#Authentication.2FKerberos > > Petr^2 Spacek > > > > > > > Thanks > > > > Rakesh > > > > On Tue, Aug 23, 2016 at 10:01 PM, Rakesh Rajasekharan < > > rakesh.rajasekha...@gmail.com> wrote: > > > >> i changed the loggin level to 4 . Modifying nsslapd-accesslog-level > >> > >> But, the hang is still there. though I dont see the sigfault now > >> > >> > >> > >> > >> On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan < > >> rakesh.rajasekha...@gmail.com> wrote: > >> > >>> My disk was getting filled too fast > >>> > >>> logs under /var/log/dirsrv was coming around 5 gb quickly filling up > >>> > >>> Is there a way to make the logging less verbose > >>> > >>> > >>> > >>> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> > wrote: > >>> > >>>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote: > >>>>> I was able to fix that may be temporarily... when i checked the > >>>> network.. > >>>>> there was another process that was running and consuming a lot of > >>>> network ( > >>>>> i have no idea who did that. I need to seriously start restricting > >>>> people > >>>>> access to this machine ) > >>>>> > >>>>> after killing that perfomance improved drastically > >>>>> > >>>>> But now, suddenly I started experiencing the same hang. > >>>>> > >>>>> This time , I gert the following error when checked dmesg > >>>>> > >>>>> [ 301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp > >>>>> 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000] > >>>>> [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port > 88. > >>>>> Sending cookies. Check SNMP counters. > >>>>> [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp > >>>>> 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000] > >>>>> [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp > >>>>> 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00 > >>>> > >>>> Okay, this one is serious. The LDAP server crashed. > >>>> > >>>> 1. Make sure all your packages are up-to-date. > >>>> > >&
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
I think thers something seriously wrong with my system not able to run any IPA commands klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@xyz.com Valid starting Expires Service principal 2016-08-23T16:26:36 2016-08-24T16:26:22 krbtgt/xyz@xyz.com [root@prod-ipa-master-1a :~] ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@prod-ipa-master :~] ipa user-find p-testuser ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/("Cannot contact any KDC for realm ' XYZ.COM'", -1765328228) Thanks Rakesh On Tue, Aug 23, 2016 at 10:01 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > i changed the loggin level to 4 . Modifying nsslapd-accesslog-level > > But, the hang is still there. though I dont see the sigfault now > > > > > On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan < > rakesh.rajasekha...@gmail.com> wrote: > >> My disk was getting filled too fast >> >> logs under /var/log/dirsrv was coming around 5 gb quickly filling up >> >> Is there a way to make the logging less verbose >> >> >> >> On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> wrote: >> >>> On 23.8.2016 15:07, Rakesh Rajasekharan wrote: >>> > I was able to fix that may be temporarily... when i checked the >>> network.. >>> > there was another process that was running and consuming a lot of >>> network ( >>> > i have no idea who did that. I need to seriously start restricting >>> people >>> > access to this machine ) >>> > >>> > after killing that perfomance improved drastically >>> > >>> > But now, suddenly I started experiencing the same hang. >>> > >>> > This time , I gert the following error when checked dmesg >>> > >>> > [ 301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp >>> > 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000] >>> > [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port 88. >>> > Sending cookies. Check SNMP counters. >>> > [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp >>> > 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000] >>> > [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp >>> > 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00 >>> >>> Okay, this one is serious. The LDAP server crashed. >>> >>> 1. Make sure all your packages are up-to-date. >>> >>> Please see >>> http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#d >>> ebugging-crashes >>> for further instructions how to debug this. >>> >>> Petr^2 Spacek >>> >>> > >>> > and in /var/log/dirsrv/example-com/errors >>> > >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291138 (rc: 32) >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291139 (rc: 32) >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291140 (rc: 32) >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291141 (rc: 32) >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291142 (rc: 32) >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291143 (rc: 32) >>> > [23/Aug/2016:12:49:36 +0000] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291144 (rc: 32) >>> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3291145 (rc: 32) >>> > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete >>> > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord: >>> could >>> > not delete change record 3292734 (rc: 51) >>> > >>> > >>&
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
i changed the loggin level to 4 . Modifying nsslapd-accesslog-level But, the hang is still there. though I dont see the sigfault now On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > My disk was getting filled too fast > > logs under /var/log/dirsrv was coming around 5 gb quickly filling up > > Is there a way to make the logging less verbose > > > > On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> wrote: > >> On 23.8.2016 15:07, Rakesh Rajasekharan wrote: >> > I was able to fix that may be temporarily... when i checked the >> network.. >> > there was another process that was running and consuming a lot of >> network ( >> > i have no idea who did that. I need to seriously start restricting >> people >> > access to this machine ) >> > >> > after killing that perfomance improved drastically >> > >> > But now, suddenly I started experiencing the same hang. >> > >> > This time , I gert the following error when checked dmesg >> > >> > [ 301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp >> > 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000] >> > [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port 88. >> > Sending cookies. Check SNMP counters. >> > [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp >> > 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000] >> > [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp >> > 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00 >> >> Okay, this one is serious. The LDAP server crashed. >> >> 1. Make sure all your packages are up-to-date. >> >> Please see >> http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html# >> debugging-crashes >> for further instructions how to debug this. >> >> Petr^2 Spacek >> >> > >> > and in /var/log/dirsrv/example-com/errors >> > >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291138 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291139 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291140 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291141 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291142 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291143 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291144 (rc: 32) >> > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3291145 (rc: 32) >> > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete >> > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord: >> could >> > not delete change record 3292734 (rc: 51) >> > >> > >> > Can i do something about this error.. I treid to restart ipa a couple >> of >> > time but that did not help >> > >> > Thanks >> > Rakesh >> > >> > On Mon, Aug 22, 2016 at 2:27 PM, Petr Spacek <pspa...@redhat.com> >> wrote: >> > >> >> On 19.8.2016 19:32, Rakesh Rajasekharan wrote: >> >>> I am running my set up on AWS cloud, and entropy is low at around 180 >> . >> >>> >> >>> I plan to increase it bu installing haveged . But, would low entropy >> by >> >> any >> >>> chance cause this issue of intermittent hang . >> >>> Also, the hang is mostly observed when registering around 20 clients >> >>> together >> >> >> >> Possibly, I'm not sure. If you want to dig into this, I would do this: >> >> 1. look what process hangs on client (using pstree command or so) >> >> $ pstree >> >> >> >> 2. look to what server and port is the hanging client connected to >> >> $ lsof -p >> >> >> >> 3. jump to server and see what process is bound to the target port
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
My disk was getting filled too fast logs under /var/log/dirsrv was coming around 5 gb quickly filling up Is there a way to make the logging less verbose On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 23.8.2016 15:07, Rakesh Rajasekharan wrote: > > I was able to fix that may be temporarily... when i checked the network.. > > there was another process that was running and consuming a lot of > network ( > > i have no idea who did that. I need to seriously start restricting people > > access to this machine ) > > > > after killing that perfomance improved drastically > > > > But now, suddenly I started experiencing the same hang. > > > > This time , I gert the following error when checked dmesg > > > > [ 301.236976] ns-slapd[3124]: segfault at 0 ip 7f1de416951c sp > > 7f1dee1dba70 error 4 in libcos-plugin.so[7f1de4166000+b000] > > [ 1116.248431] TCP: request_sock_TCP: Possible SYN flooding on port 88. > > Sending cookies. Check SNMP counters. > > [11831.397037] ns-slapd[22550]: segfault at 0 ip 7f533d82251c sp > > 7f5347894a70 error 4 in libcos-plugin.so[7f533d81f000+b000] > > [11832.727989] ns-slapd[22606]: segfault at 0 ip 7f6231eb951c sp > > 7f623bf2ba70 error 4 in libcos-plugin.so[7f6231eb6000+b00 > > Okay, this one is serious. The LDAP server crashed. > > 1. Make sure all your packages are up-to-date. > > Please see > http://directory.fedoraproject.org/docs/389ds/ > FAQ/faq.html#debugging-crashes > for further instructions how to debug this. > > Petr^2 Spacek > > > > > and in /var/log/dirsrv/example-com/errors > > > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291138 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291139 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291140 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291141 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291142 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291143 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291144 (rc: 32) > > [23/Aug/2016:12:49:36 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3291145 (rc: 32) > > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete > > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord: could > > not delete change record 3292734 (rc: 51) > > > > > > Can i do something about this error.. I treid to restart ipa a couple of > > time but that did not help > > > > Thanks > > Rakesh > > > > On Mon, Aug 22, 2016 at 2:27 PM, Petr Spacek <pspa...@redhat.com> wrote: > > > >> On 19.8.2016 19:32, Rakesh Rajasekharan wrote: > >>> I am running my set up on AWS cloud, and entropy is low at around 180 . > >>> > >>> I plan to increase it bu installing haveged . But, would low entropy by > >> any > >>> chance cause this issue of intermittent hang . > >>> Also, the hang is mostly observed when registering around 20 clients > >>> together > >> > >> Possibly, I'm not sure. If you want to dig into this, I would do this: > >> 1. look what process hangs on client (using pstree command or so) > >> $ pstree > >> > >> 2. look to what server and port is the hanging client connected to > >> $ lsof -p > >> > >> 3. jump to server and see what process is bound to the target port > >> $ netstat -pn > >> > >> 4. see where the process if hanging > >> $ strace -p > >> > >> I hope it helps. > >> > >> Petr^2 Spacek > >> > >>> On Fri, Aug 19, 2016 at 7:24 PM, Rakesh Rajasekharan < > >>> rakesh.rajasekha...@gmail.com> wrote: > >>> > >>>> yes there seems to be something thats worrying.. I have faced this > today > >>>> as well. > >>>> There are few hosts around 280 odd left and when i try adding them to > >> IPA > >>>> , the slowness begins.. > >>>> > >>>> all the ipa commands like ipa user-find.. et
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
I am running my set up on AWS cloud, and entropy is low at around 180 . I plan to increase it bu installing haveged . But, would low entropy by any chance cause this issue of intermittent hang . Also, the hang is mostly observed when registering around 20 clients together On Fri, Aug 19, 2016 at 7:24 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > yes there seems to be something thats worrying.. I have faced this today > as well. > There are few hosts around 280 odd left and when i try adding them to IPA > , the slowness begins.. > > all the ipa commands like ipa user-find.. etc becomes very slow in > responding. > > the SYNC_RECV are not many though just around 80-90 and today that was > around 20 only > > > I have for now increased tcp_max_syn_backlog to 5000. > For now the slowness seems to have gone.. but I will do a try adding the > clients again tomorrow and see how it goes > > Thanks > Rakesh > > The issues > > On Fri, Aug 19, 2016 at 12:58 PM, Petr Spacek <pspa...@redhat.com> wrote: > >> On 18.8.2016 17:23, Rakesh Rajasekharan wrote: >> > Hi >> > >> > I am migrating to freeipa from openldap and have around 4000 clients >> > >> > I had openned a another thread on that, but chose to start a new one >> here >> > as its a separate issue >> > >> > I was able to change the nssslapd-maxdescriptors adding an ldif file >> > >> > cat nsslapd-modify.ldif >> > dn: cn=config >> > changetype: modify >> > replace: nsslapd-maxdescriptors >> > nsslapd-maxdescriptors: 17000 >> > >> > and running the ldapmodify command >> > >> > I have now started moving clients running an openldap to Freeipa and >> have >> > today moved close to 2000 clients >> > >> > However, I have noticed that IPA hangs intermittently. >> > >> > running a kinit admin returns the below error >> > kinit: Generic error (see e-text) while getting initial credentials >> > >> > from the /var/log/messages, I see this entry >> > >> > prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP: >> > Possible SYN flooding on port 88. Sending cookies. Check SNMP counters. >> >> I would be worried about this message. Maybe kernel/firewall is doing >> something fishy behind your back and blocking some connections or so. >> >> Petr^2 Spacek >> >> >> > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of >> > user root. >> > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of >> > user root. >> > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of >> > user root. >> > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of >> > user root. >> > Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command >> Invoked >> > with creates=None executable=None shell=True args= removes=None >> warn=True >> > chdir=None >> > Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified >> GSS >> > failure. Minor code may provide more information (KDC returned error >> > string: PROCESS_TGS) >> > >> > Could it be possible that its due to the initial load of adding the >> clients >> > or is there something else that I need to take care of. >> > >> > Thanks, >> > >> > Rakesh >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently
yes there seems to be something thats worrying.. I have faced this today as well. There are few hosts around 280 odd left and when i try adding them to IPA , the slowness begins.. all the ipa commands like ipa user-find.. etc becomes very slow in responding. the SYNC_RECV are not many though just around 80-90 and today that was around 20 only I have for now increased tcp_max_syn_backlog to 5000. For now the slowness seems to have gone.. but I will do a try adding the clients again tomorrow and see how it goes Thanks Rakesh The issues On Fri, Aug 19, 2016 at 12:58 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 18.8.2016 17:23, Rakesh Rajasekharan wrote: > > Hi > > > > I am migrating to freeipa from openldap and have around 4000 clients > > > > I had openned a another thread on that, but chose to start a new one here > > as its a separate issue > > > > I was able to change the nssslapd-maxdescriptors adding an ldif file > > > > cat nsslapd-modify.ldif > > dn: cn=config > > changetype: modify > > replace: nsslapd-maxdescriptors > > nsslapd-maxdescriptors: 17000 > > > > and running the ldapmodify command > > > > I have now started moving clients running an openldap to Freeipa and have > > today moved close to 2000 clients > > > > However, I have noticed that IPA hangs intermittently. > > > > running a kinit admin returns the below error > > kinit: Generic error (see e-text) while getting initial credentials > > > > from the /var/log/messages, I see this entry > > > > prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP: > > Possible SYN flooding on port 88. Sending cookies. Check SNMP counters. > > I would be worried about this message. Maybe kernel/firewall is doing > something fishy behind your back and blocking some connections or so. > > Petr^2 Spacek > > > > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of > > user root. > > Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of > > user root. > > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of > > user root. > > Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of > > user root. > > Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command > Invoked > > with creates=None executable=None shell=True args= removes=None warn=True > > chdir=None > > Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified > GSS > > failure. Minor code may provide more information (KDC returned error > > string: PROCESS_TGS) > > > > Could it be possible that its due to the initial load of adding the > clients > > or is there something else that I need to take care of. > > > > Thanks, > > > > Rakesh > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Freeipa 4.2.0 hangs intermittently
Hi I am migrating to freeipa from openldap and have around 4000 clients I had openned a another thread on that, but chose to start a new one here as its a separate issue I was able to change the nssslapd-maxdescriptors adding an ldif file cat nsslapd-modify.ldif dn: cn=config changetype: modify replace: nsslapd-maxdescriptors nsslapd-maxdescriptors: 17000 and running the ldapmodify command I have now started moving clients running an openldap to Freeipa and have today moved close to 2000 clients However, I have noticed that IPA hangs intermittently. running a kinit admin returns the below error kinit: Generic error (see e-text) while getting initial credentials from the /var/log/messages, I see this entry prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP: Possible SYN flooding on port 88. Sending cookies. Check SNMP counters. Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of user root. Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of user root. Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of user root. Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of user root. Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command Invoked with creates=None executable=None shell=True args= removes=None warn=True chdir=None Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: PROCESS_TGS) Could it be possible that its due to the initial load of adding the clients or is there something else that I need to take care of. Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa server capacity planning
Hi, I have successfully running freeipa setup across my envs.. and now planning to move it to one of the prod envs where we have around 4000 clients. I am running a single IPA server instance with regular backups being taken to handle any disasters Are there any recommendations on the system configuration, I am using a 4 CPU, 30GB Ram machine. will that be ok or should I upgrade to a higher configuration Also, the default File descriptors is set to 8192 by IPA, with the number of clients does it make sense to increase the value of nsslapd-maxdescriptors. Please let me know Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
Thanks Jan.. I will give that a try On Fri, Jul 29, 2016 at 7:05 PM, Jan Pazdziora <jpazdzi...@redhat.com> wrote: > On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > > My specific requirement for having "enumerate=TRUE" was , we have a build > > server with the jenkins set up. > > And for authentication jenkins tries to get the localusers on the system. > > > > I should be able to get through that by configuring Jenkins to use LDAP > > instead of the local users. > > Alternatively you could use Apache HTTP frontend for authentication > per > > > https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security > > and use for example mod_authnz_pam configured with PAM service > that pam_sss.so / SSSD will handle. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] slow login with freeipa 4.2.0
Thanks Jakub for the detailed analysis... with those inputs , I was able to nail down the issue. I had migrated this host from openldap to freeipa.. However, nslcd daemon was still running and the sylog pointed me to the error "unable to contact the earlier openldap server" and it spent some time there... So, I stopped nslcd and now logins have improved drastically to around 5s date;ssh testuser@localhost Sat Jul 30 08:09:13 UTC 2016 testuser@localhost's password: Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1 [p-rakeshpillai@prod1-admintools-1c :~] date Sat Jul 30 08:09:18 UTC 2016 For the ipa_hostname entry in sssd.conf, that gets auto populated entered everytime I run ipa-client-install . I run the below command to setup ipa client ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom --realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4 --no-ssh --no-sshd -N -f -U Notice that, In the hostname argument, I am passing the IP address. Hope thats fine, its actually working fine on around 2000+ servers in my environment. I had earlier tried with servername.domain ( qa-test1.yyz.com as the hostname ) and my servers hostname would get changed to qa-test1.yyz.com . However, we do our deployments on glassfish and glassfish somehow started having issue everytime we restart glassfish ( not an expert with glassfish ) so not sure whats wrong there. With this approach , my hostname is now my ipaddress and things are working fine both at galssfish and IPA side. But just want to confirm its ok to do that Thanks, Rakesh On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote: > > > Any change that it's running on a VM? If so, check your entropy: > > > > > cat /proc/sys/kernel/random/entropy_avail > > > > > If it's low (like < 1k), install haveged. > > > > this indeed is vm , am running it on azure . However, I have a similar > set > > up running on aws which works completely fine > > Sorry about the delay in replying.. > > > > > The entropy was low, around 180, I installed haveged and now its above 3k > > cat /proc/sys/kernel/random/entropy_avail > > 3178 > > > > The timing though is still the same around 19s > > I have some comments inline about the config and logs. > > > > > @jakub, i am reattaching the logs. > > > > The dns resoltion seems fast when I check using dig > > > > below is my sssd.conf > > [domain/xyz.com] > > selinux_provider=none > > krb5_auth_timeout = 20 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = xyz.com > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ldap_tls_cacert = /etc/ipa/ca.crt > > ipa_hostname = 10.65.16.4 > > The ipa_hostname value is wrong. It's meant for systems where hostname > reports a different name that what is the name the host is registered as > in IPA. Including an IP address there doesn't make much sense. > > > chpass_provider = ipa > > ipa_server = ipa-master-in.xyz.com > > dns_discovery_domain = xyz.com > > ignore_group_members=True > > ldap_purge_cache_timeout = 0 > > debug_level=8 > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > > > domains = xyz.com > > [nss] > > homedir_substring = /home > > > > [pam] > > pam_id_timeout = 3 > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > [ifp] > > > > > > > > And here is the login times and logs > > > > [root@ipa-client-1 :~] date;ssh testuser@localhost > > Tue Jul 26 12:06:37 UTC 2016 > > testuser@localhost's password: > > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1 > > [testuser@ipa-client-1 :~] date > > Tue Jul 26 12:06:55 UTC 2016 > > > > > > sssd_domain logs > > > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > > org.freedesktop.sssd.dataprovider.getAccountInfo on path > > /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info] > > (0x0200): Got request for [0x3][1][name=testuser] > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > > [sdap_
[Freeipa-users] ipa restore from backup on another host
Hi, I would like to restore IPA from a backup taken on another host. My use case is to create a new QA environment and dont want to go over the process of recreating all the users. I tried to restore IPA from the backup taken in my first environment . But, that failed with hostname difference issues. Is there a way to get this working. Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error
thanks for the inputs.. the issue was with my network, I was able to resolve it adding in the NETWORKING_IPV6=no in /etc/sysconfig/network possibly it was using IPv6 resolution and that was failing On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > > > On few clients the installation fails with the below error message. > > > > > > I verified that the ipa master dns is resolvable. Not sure what could be > > wrong here.. > > > > > > Joining realm failed: libcurl failed to execute the HTTP POST > transaction, > > explaining: Could not resolve host: ipa-master-in.xyz.com; Unknown > error > > > > Use ipa-getkeytab to obtain a host principal for this server. > > Please make sure the following ports are opened in the firewall settings: > > TCP: 80, 88, 389 > > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > > Also note that following ports are necessary for ipa-client working > > properly after enrollment: > > TCP: 464 > > UDP: 464, 123 (if NTP enabled) > > Failed to obtain host TGT: (-1765328203, 'Key table entry not found') > > Installation failed. Force set so not rolling back changes. > > > > > > I tried removeing /etc/ipa/ca.crt and delete any older certificates > > "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" > > > > However, no luck yet.. > > > > any suggestions on how can I debug this.. > > I would start with command: > $ dig ipa-master-in.xyz.com > > It should print IPv4 address of the server ipa-master-in.xyz.com . If it > does > not print it there is a problem with DNS. In that case usual DNS debugging > guides apply. > > I hope it helps. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error
Hi, I am running ipa server 4.2 and set it up without using "--setup-dns=no". On few clients the installation fails with the below error message. I verified that the ipa master dns is resolvable. Not sure what could be wrong here.. Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Could not resolve host: ipa-master-in.xyz.com; Unknown error Use ipa-getkeytab to obtain a host principal for this server. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: (-1765328203, 'Key table entry not found') Installation failed. Force set so not rolling back changes. I tried removeing /etc/ipa/ca.crt and delete any older certificates "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" However, no luck yet.. any suggestions on how can I debug this.. Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
under the "configure global security part" of jenkins, we can specify how jenkins will fetch users for authentication. One option is "Unix user/group database" . wherein, it will do a getent passwd and fetch users from there. Other is to specify ldap. There are few other ways as well but haven't explored it yet. Thanks Rakesh On Fri, Jul 22, 2016 at 6:54 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > > My specific requirement for having "enumerate=TRUE" was , we have a build > > server with the jenkins set up. > > And for authentication jenkins tries to get the localusers on the system. > > I'm not sure what you mean by localusers, but does Jenkins really use > some sort of interface that lists all users through the system > interface? IIRC Jenkins is written in Java, so I would expect some > native Java connector instead.. > > > > > I should be able to get through that by configuring Jenkins to use LDAP > > instead of the local users. > > > > But are there any other reasons for recommending against > "enumerate=TRUE", > > i recall reading somewhere as well not to use this specific setting. > > - performance > - in general (because it's not the default and few people use > enumeration), less tested than the defaul > - idviews don't work > - trusted AD users can't be enumerated at all > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset
Hi, I am running a freeipa server 4.2.x. I have the following password global password policy set to force a history of 3 ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 --maxfail=3 --failinterval=300 This works good when the user himself changes the password.. and IPA does not allow reusing older password. However, if the admin resets it "ipa user-mod testuser --random" then it seems to reset the password history as well and the user can now re-use his older password Is this expected or is there something I can do about it. Also, is there a way to get the password expiry warning at the terminal when a user logs in , something similar to the "pwdExpireWarning" in ldap. I searched a bit and could only find setting up email alerts . Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client password authentication failed
somehow, i am no longer facing this issue.. the only change I did was, corrected the /etc/openldap/ldap.conf file to point to the ipa master dns rather than the older ldap dns. the file had "#File modified by ipa-client-install" but it did not change the ldap dns and still pointed to older entry. I jsut corrected it and restarted sssd. It though did not work initially after changing , however, I am no longer facing that issue now. may be it was a caching issue Thanks, Rakesh On Sun, Apr 24, 2016 at 5:01 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On 22 Apr 2016, at 19:21, Rakesh Rajasekharan < > rakesh.rajasekha...@gmail.com> wrote: > > > > Hi Jakub > > > > > > the child only had that much info.. > > > > from the domain logs. it looks that it was able to resolve the master . > However, the ldap results say found nothing. > > > > I was earlier running an openldap client on this host and then migrated > to IPA. > > > > /etc/openldap/ldap.conf was still pointing to the older ldap master.. > > > > #File modified by ipa-client-install > > > > URI ldaps://older-ldap-master.com:636/ > > BASE dc=xyz,dc=com > > TLS_CACERT /etc/ipa/ca.crt > > > > TLS_CACERTDIR /etc/openldap/cacerts] > > > > I corrected that to point to IPA and noticed that getent passwd now > successfully lists all the users. > > However, the authentication does not work yet. ( ldapsearch -x though > shows all the users ). > > > > I re-tested it now... > > below is the domain log > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): start > ldb transaction (nesting: 3) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_callback": 0x118fab0 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_timeout": 0x11925f0 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running > timer event 0x118fab0 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): > Destroying timer event 0x11925f0 "ltdb_timeout" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending > timer event 0x118fab0 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): cancel > ldb transaction (nesting: 3) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit > ldb transaction (nesting: 2) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit > ldb transaction (nesting: 1) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_save_users] > (0x4000): User 0 processed! > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit > ldb transaction (nesting: 0) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_get_users_done] > (0x4000): Saving 1 Users - Done > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_id_op_done] > (0x4000): releasing operation connection > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_callback": 0x118fd20 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_timeout": 0x1182770 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running > timer event 0x118fd20 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): > Destroying timer event 0x1182770 "ltdb_timeout" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending > timer event 0x118fd20 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [sdap_id_op_connect_step] (0x4000): reusing cached connection > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in > view [Default Trust View] with filter > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8 > c7e86dc-0536-11e6-94f8-0e49bd988575))]. > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.0.4.175 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8c7e86dc-0536-11e6-94f8-0e49bd988575))][cn=Default > Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 105 > &
[Freeipa-users] ipa-client password authentication failed
Hi There, I have successfully set up and running freeipa in my environment. I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47 This set up works fine for majority of servers. But just on one host I am unable to authenticate the users. it gives me password denied Below is the error from /var/log/secure Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13 user=q-testuser Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213 user=q-testuser Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for user q-testuser: 4 (System error) and in my krb5_child.log, i see the below lines, (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400): krb5_child started. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer] (0x1000): total buffer size: [171] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer] (0x0100): cmd [241] uid [114201] gid [114201] validate [true] enterprise principal [false] offline [false] UPN [q-testu...@xyz.com] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_114201_XX] old_ccname: [FILE:/tmp/krb5cc_114201_RjJBN2] keytab: [/etc/krb5.keytab] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds] (0x0200): Switch user to [114201][114201]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [switch_creds] (0x0200): Switch user to [0][0]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_114201_RjJBN2] and is not active and TGT is valid. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_precreate_ccache] (0x4000): Recreating ccache (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2...@xyz.com] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [find_principal_in_keytab] (0x4000): Trying to find principal host/ 10.2.2...@xyz.com in keytab. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [match_principal] (0x1000): Principal matched to the sample (host/10.2.2...@xyz.com). (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [become_user] (0x0200): Trying to become user [114201][114201]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x2000): Running as [114201][114201]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [k5c_setup] (0x2000): Running as [114201][114201]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [main] (0x0400): Will perform online auth (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.COM] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting initial credentials for q-testu...@xyz.com (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving host/10.2.2...@xyz.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM \@XYZ.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with result: -1765328243/Matching credential not found (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending request (185 bytes) to XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating TCP connection to stream 10.0.4.175:88 (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603 [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP request to stream 10. krb5_child.log (END) can someone please advice , what seems to go wrong here. Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list:
[Freeipa-users] freeipa restore backup on a new server
Hi , I am running ipa-server verison 4.2 on AWS,and testing the freeipa backup and restore . The restoration works fine if its on the same host, wherin i uninstall freeipa and then install it back and then do a full restore. However, if its a new machine with a different ip, the restoration fails. I am running the restoration from an ansible playbook.. heres the output, that I get Preparing restore from /tmp/ipa/ipa-full-2016-04-12 on test-ipa-master-int.xyz.com Performing FULL restore from FULL backup Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Stopping IPA services Systemwide CA database updated. Restoring files Systemwide CA database updated. Restoring from userRoot in xyz-COM Restoring from ipaca in xyz-COM Starting IPA services Command ''ipactl' 'start'' returned non-zero exit status 1 stdout: Configuring certmonger to stop tracking system certificates for CA Is there a limitation that the ip needs to be the same for a restore to happen or am I missing something. Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] unable to authenticate using freeipa client
yes the space was indeed the culprit... i cleaned up some and login works fine now.. Thanks !! On Tue, Mar 15, 2016 at 1:55 PM, Sumit Bose <sb...@redhat.com> wrote: > On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > > I set up freeipa in my environment and works perfectly. > > > > But just on one host , I am not able to authenticate. I get a permission > > denied eror. > > > > The sssd version I have is 1.12 > > > > the krb5_child log does point to some error, > > krb5_child.log > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer] > > (0x2000): No old ccache > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer] > > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set] > > keytab: [/etc/krb5.keytab] > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com] > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 > > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > > 1.1@test.com in keytab. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal] > > (0x1000): Principal matched to the sample (host/1.1@test.com). > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times] > > (0x1000): FAST ccache must be recreated > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user] > > (0x0200): Trying to become user [0][0]. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user] > > (0x0200): Already user [0]. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 > [check_fast_ccache] > > (0x2000): Running as [0][0]. > > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache] > > (0x4000): Initializing ccache of type [FILE] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [check_fast_ccache] > > (0x0200): FAST TGT was successfully recreated! > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user] > > (0x0200): Trying to become user [5102][701]. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000): > > Running as [5102][701]. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup] > > (0x2000): Running as [5102][701]. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [set_lifetime_options] (0x0100): Cannot read > [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400): > > Will perform online auth > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child] > > (0x1000): Attempting to get a TGT > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt] > > (0x0400): Attempting kinit for realm [TEST.COM] > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting > > initial credentials for q-tempu...@test.com > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving > > host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/ > TEST.COM > > \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > with result: -1765328243/Matching credential not found > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending > > request (189 bytes) to TEST.COM > > > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating > > TCP connection to stre > > (END) > > Does the krb5_child.log really ends h
Re: [Freeipa-users] unable to authenticate using freeipa client
For the error in the krb5_child.log (Tue Mar 15 04:35:51 2016) [[sssd[krb5_child[13708 [sss_child_krb5_trace_cb] (0x4000): [13708] 1458016551.87210: Received error from KDC: -1765328359/Additional pre-authentication required I deleted the sssd cache as well as the /tmp/krb5* and restarted sssd , still the issue persists. Another error that I see is in /var/log/secure Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=q-tempuser Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=q-tempuser Mar 14 21:35:51 ip-1-1-1-1 sshd[13705]: pam_sss(sshd:auth): received for user q-tempuser: 4 (System error) I have "UsePAM yes" and "GSSAPIAuthentication yes" in sshd_config. so not sure whats causing this.. I tried uninstalling and installing back the client as well but did not help.. Anything else that I might be missing out.. Thanks, Rakesh On Mon, Mar 14, 2016 at 5:50 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > I set up freeipa in my environment and works perfectly. > > But just on one host , I am not able to authenticate. I get a permission > denied eror. > > The sssd version I have is 1.12 > > the krb5_child log does point to some error, > krb5_child.log > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer] > (0x2000): No old ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set] > keytab: [/etc/krb5.keytab] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > 1.1@test.com in keytab. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal] > (0x1000): Principal matched to the sample (host/1.1@test.com). > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times] > (0x1000): FAST ccache must be recreated > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user] > (0x0200): Trying to become user [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user] > (0x0200): Already user [0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [check_fast_ccache] > (0x2000): Running as [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache] > (0x4000): Initializing ccache of type [FILE] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [check_fast_ccache] > (0x0200): FAST TGT was successfully recreated! > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user] > (0x0200): Trying to become user [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000): > Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup] > (0x2000): Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400): > Will perform online auth > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child] > (0x1000): Attempting to get a TGT > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt] > (0x0400): Attempting kinit for realm [TEST.COM] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting > initial credentials for q-tempu...@test.com > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving > host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM > \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_c
[Freeipa-users] unable to authenticate using freeipa client
I set up freeipa in my environment and works perfectly. But just on one host , I am not able to authenticate. I get a permission denied eror. The sssd version I have is 1.12 the krb5_child log does point to some error, krb5_child.log (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer] (0x2000): No old ccache (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_precreate_ccache] (0x4000): Recreating ccache (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com] (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [find_principal_in_keytab] (0x4000): Trying to find principal host/ 1.1@test.com in keytab. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal] (0x1000): Principal matched to the sample (host/1.1@test.com). (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times] (0x1000): FAST ccache must be recreated (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user] (0x0200): Trying to become user [0][0]. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user] (0x0200): Already user [0]. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [check_fast_ccache] (0x2000): Running as [0][0]. (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache] (0x4000): Initializing ccache of type [FILE] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [check_fast_ccache] (0x0200): FAST TGT was successfully recreated! (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user] (0x0200): Trying to become user [5102][701]. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000): Running as [5102][701]. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup] (0x2000): Running as [5102][701]. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400): Will perform online auth (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt] (0x0400): Attempting kinit for realm [TEST.COM] (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting initial credentials for q-tempu...@test.com (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM with result: -1765328243/Matching credential not found (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending request (189 bytes) to TEST.COM (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating TCP connection to stre (END) And here are the contents from sssd_domain.log sssd_test.com (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): domain: test.com (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): user: q-tempuser (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): service: sshd (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): ruser: (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): cli_pid: 11794 (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [ldb] (0x4000): Added
[Freeipa-users] version compatibility between server and client
Hi!, I had successfully set up ipa in our qa environment, but since we are running cenots 6, i just got 3.0.25 version of IPA. I wanted to try out the latest 4.x version, for server by using a centos 7 OS. But have few questions regarding that Will there be compatibility issues, if I use a server at 4.x and clients at 3.0.25 Another question is, >From the documentation, I see that theres an option to manually configure a client where in we do not have to install freeipa-client using ipa-client-install https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/linux-manual.html So that way , I can install the latest version of freeipa server and make my clients also be able to use the latest verison without actually installing it. But, are there any issues with this approach, and how does it differ from doing a ipa-client-install on the client machine. Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
>>Actually, it should be 1777 > sh$ ls -ld /tmp/ > drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/ ^ > This is important.> yes, I have now corrected them... Thanks... On Fri, Feb 19, 2016 at 2:59 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (19/02/16 14:54), Rakesh Rajasekharan wrote: > >> > >>This usually mean critical error in sssd. > >> Please provide log files (sssd_$domain.log and krb5_child.log) > > > >I found this in my sssd-$domain.log > > > > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > >[tempuser] found > > > >so searching around I found that the permissions for the /tmp directory > >should be 777.. > > > >setting it to 777 fixed the issue for me.. > > > Actually, it should be 1777 > > sh$ ls -ld /tmp/ > drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/ > ^ > This is important. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
> >This usually mean critical error in sssd. > Please provide log files (sssd_$domain.log and krb5_child.log) I found this in my sssd-$domain.log [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [tempuser] found so searching around I found that the permissions for the /tmp directory should be 777.. setting it to 777 fixed the issue for me.. Thanks, Rakesh On Fri, Feb 19, 2016 at 1:08 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (18/02/16 18:41), Rakesh Rajasekharan wrote: > >I set up freeipa on our environment and its works perfectly for most of > the > >hosts.. but on few I am getting a permission denied. > > > >[root@ipa-client-1c :~] ssh tempuser@localhost > >tempuser@localhost's password: > >Permission denied, please try again. > >tempuser@localhost's password: > > > > > > > > > >I checked the hbac, but that seems to be fine > > > >root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > >--service=sshd > > > >Access granted: True > > > > Matched rules: allow_all > > > > > >Another thing I noticed is the nsswitch.conf had the below entries after > >the freeipa installation > >passwd: files sss ldap > >shadow: files sss ldap > >group: files sss ldap > > > >hosts: files dns > > > > > >bootparams: nisplus [NOTFOUND=return] files > > > >ethers: files > >netmasks: files > >networks: files > >protocols: files > >rpc:files > >services: files sss > > > >netgroup: files sss ldap > > > >publickey: nisplus > > > >automount: files ldap > >aliases:files nisplus > > > >sudoers: files sss > > > > > >The ldap shouldn't be there above I guess.. > > > >and from the logs, i have the below errors > > > >==> /var/log/secure <== > >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): > authentication > >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication > >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > >user tempuser: 4 (System error) > > This usually mean critical error in sssd. > Please provide log files (sssd_$domain.log and krb5_child.log) > with high debug level. > https://fedorahosted.org/sssd/wiki/Troubleshooting > > Whis version of sssd do you have? > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
The permission for /etc/krb5.conf was already set to 644. So, that aspect looks fine.. I think it might be something to do with the pam settings. here is my sssd.conf [root@ipa-client :/etc/sssd] cat sssd.con [domain/xyz.com] krb5_auth_timeout = 30 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xyz.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = x.x.x.x chpass_provider = ipa ipa_server = _srv_, ipa-master.xyz.com dns_discovery_domain = xyz.com [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=ldap,dc=qa,dc=xyz,dc=com krb5_realm = xyz.com krb5_server = ipa-master.xyz.com:88 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap-int.xyz.com:636 ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = default, xyz.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Thanks, Rakesh On Thu, Feb 18, 2016 at 6:52 PM, Martin Kosek <mko...@redhat.com> wrote: > On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote: > > I set up freeipa on our environment and its works perfectly for most of > the > > hosts.. but on few I am getting a permission denied. > > > > [root@ipa-client-1c :~] ssh tempuser@localhost > > tempuser@localhost's password: > > Permission denied, please try again. > > tempuser@localhost's password: > > > > > > > > > > I checked the hbac, but that seems to be fine > > > > root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > > --service=sshd > > > > Access granted: True > > > > Matched rules: allow_all > > > > > > Another thing I noticed is the nsswitch.conf had the below entries after > > the freeipa installation > > passwd: files sss ldap > > shadow: files sss ldap > > group: files sss ldap > > > > hosts: files dns > > > > > > bootparams: nisplus [NOTFOUND=return] files > > > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc:files > > services: files sss > > > > netgroup: files sss ldap > > > > publickey: nisplus > > > > automount: files ldap > > aliases:files nisplus > > > > sudoers: files sss > > > > > > The ldap shouldn't be there above I guess.. > > > > and from the logs, i have the below errors > > > > ==> /var/log/secure <== > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=tempuser > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > > user tempuser: 4 (System error) > > Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from > > x.x.x.x port 36687 ssh2 > > Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 > user=tempuser > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 > user=tempuser > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for > > user tempuser: 4 (System error) > > Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from > > 127.0.0.1 port 59870 ssh2 > > > > > > ==> /var/log/messages <== > > Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down > > Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing > failed > > : Input/output error > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing > failed > > : Input/output error > > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > > Could it be caused by /etc/krb5.conf permissions as here: > https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html > ? > > Some advise is also here: > > http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc > > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa permission denied for user
I set up freeipa on our environment and its works perfectly for most of the hosts.. but on few I am getting a permission denied. [root@ipa-client-1c :~] ssh tempuser@localhost tempuser@localhost's password: Permission denied, please try again. tempuser@localhost's password: I checked the hbac, but that seems to be fine root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x --service=sshd Access granted: True Matched rules: allow_all Another thing I noticed is the nsswitch.conf had the below entries after the freeipa installation passwd: files sss ldap shadow: files sss ldap group: files sss ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss ldap publickey: nisplus automount: files ldap aliases:files nisplus sudoers: files sss The ldap shouldn't be there above I guess.. and from the logs, i have the below errors ==> /var/log/secure <== Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for user tempuser: 4 (System error) Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from x.x.x.x port 36687 ssh2 Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for user tempuser: 4 (System error) Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from 127.0.0.1 port 59870 ssh2 ==> /var/log/messages <== Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed : Input/output error Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed : Input/output error Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Connection closed by UNKNOWN
>Why is both pam_ldap and pam_sss in the PAM stack? This seems a bit >wrong.. This was the pointer... there was a prior installation of openldap and the entries for ldap were still there .. authsufficientpam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so passwordsufficientpam_ldap.so use_authtok session optional pam_ldap.so I removed it and everything works perfectly... Thanks!! On Mon, Feb 15, 2016 at 9:16 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Feb 15, 2016 at 06:59:57PM +0530, Rakesh Rajasekharan wrote: > > this is what I have in /var/log/secure > > > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=tempuser > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): received for > user > > tempuser: 7 (Authentication failure) > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't > > contact LDAP server > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: reconnecting to LDAP > > server... > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't > > contact LDAP server > > Why is both pam_ldap and pam_sss in the PAM stack? This seems a bit > wrong.. > > > Feb 15 12:22:35 ipa-xyz sshd[13499]: Failed password for tempuser from > > x.x.x.x port 34318 ssh2 > > Feb 15 12:22:37 ipa-xyz sshd[13500]: Connection closed by x.x.x.x > > Feb 15 12:31:32 ipa-xyz sshd[13859]: Accepted publickey for root from > > x.x.x.x port 56275 ssh2 > > Feb 15 12:31:32 ipa-xyz sshd[13859]: pam_unix(sshd:session): session > opened > > for user root by (uid=0) > > Feb 15 13:01:32 ipa-xyz sshd[13859]: Received disconnect from x.x.x.x: > 11: > > disconnected by user > > > > but both 389 and 636 ports are listening > > # ] netstat -tunlp |grep 636 > > tcp0 0 :::636 :::* > > LISTEN 9564/ns-slapd > > > > #] netstat -tunlp |grep 389 > > tcp0 0 :::7389 :::* > > LISTEN 9495/ns-slapd > > tcp0 0 :::389 :::* > > LISTEN 9564/ns-slapd > > > > > > And from /var/log/sssd/sssd_xyz.com.log > > > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > command: PAM_AUTHENTICATE > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > domain: xyz.com > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > user: tempuser > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > service: sshd > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > tty: ssh > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > ruser: > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > rhost: x.x.x.x > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > authtok type: 1 > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > newauthtok type: 0 > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > priv: 1 > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > cli_pid: 13499 > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > logon name: not set > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] > > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > > [tempuser] found. > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] > > (0x0100): Trying to resolve service 'IPA' > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status] > > (0x1000): Status of server 'ipa.xyz.com' is 'working' > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_port_status] > (0x1000): > > Port status of port 0 for server 'ipa.xyz.com' is 'working' > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status] > > (0x1000): Status of server 'ipa.xyz.com' is 'working' > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] > > (0x1000): Saving the first resolved server > > (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] > >
Re: [Freeipa-users] Connection closed by UNKNOWN
this is what I have in /var/log/secure Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): received for user tempuser: 7 (Authentication failure) Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't contact LDAP server Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: reconnecting to LDAP server... Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_ldap: ldap_simple_bind Can't contact LDAP server Feb 15 12:22:35 ipa-xyz sshd[13499]: Failed password for tempuser from x.x.x.x port 34318 ssh2 Feb 15 12:22:37 ipa-xyz sshd[13500]: Connection closed by x.x.x.x Feb 15 12:31:32 ipa-xyz sshd[13859]: Accepted publickey for root from x.x.x.x port 56275 ssh2 Feb 15 12:31:32 ipa-xyz sshd[13859]: pam_unix(sshd:session): session opened for user root by (uid=0) Feb 15 13:01:32 ipa-xyz sshd[13859]: Received disconnect from x.x.x.x: 11: disconnected by user but both 389 and 636 ports are listening # ] netstat -tunlp |grep 636 tcp0 0 :::636 :::* LISTEN 9564/ns-slapd #] netstat -tunlp |grep 389 tcp0 0 :::7389 :::* LISTEN 9495/ns-slapd tcp0 0 :::389 :::* LISTEN 9564/ns-slapd And from /var/log/sssd/sssd_xyz.com.log (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: tempuser (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: x.x.x.x (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 13499 (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [tempuser] found. (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa.xyz.com' is 'working' (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa.xyz.com' is 'working' (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa.xyz.com' is 'working' (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa.xyz.com: [x.x.x.x] TTL 7200 (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [13501]. (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [13501] finished successfully. (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, ) [Success] (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [7][xyz.com] (Mon Feb 15 12:22:33 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [7][xyz.com] Thanks, Rakesh On Mon, Feb 15, 2016 at 3:45 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Feb 15, 2016 at 10:24:23AM +0530, Rakesh Rajasekharan wrote: > > hbac seems to be fine > > > > > > ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd > > > > Access granted: True > > > > Matched rules: allow_all > > > > > > I see this in the sssd.log > > > > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): > > Checking negative cache for [NCE/USER/xyz.com/q-temp] > > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] > (0x0100): > > Re
Re: [Freeipa-users] Connection closed by UNKNOWN
hbac seems to be fine ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd Access granted: True Matched rules: allow_all I see this in the sssd.log (Mon Feb 15 04:49:18 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/xyz.com/q-temp] (Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [q-t...@xyz.com] (Mon Feb 15 04:49:18 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [q-t...@xyz.com] (Mon Feb 15 04:49:18 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Mon Feb 15 04:49:18 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x23d2f80][20] (Mon Feb 15 04:49:27 2016) [sssd[nss]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit On Sat, Feb 13, 2016 at 4:41 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Sat, Feb 13, 2016 at 07:38:16AM +0530, Rakesh Rajasekharan wrote: > > I started up with freeipa and setup a server and a client > > > > > > Now when I add a user and try logging in, > > It successfully prompts for the password change and completes setting up > > the new password. > > > > However, when I gain try to login with the new password, it gives me the > > below error > > > > "Connection closed by UNKNOWN" > > > > In /var/log/secure , I see this > > > > fatal: Access denied for user t-temp by PAM account configuration. > > > > Any pointers, what I would have done wrong in the setup or if I would > have > > missed something. > > I would guess HBAC if that message comes from pam_sss. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Connection closed by UNKNOWN
I started up with freeipa and setup a server and a client Now when I add a user and try logging in, It successfully prompts for the password change and completes setting up the new password. However, when I gain try to login with the new password, it gives me the below error "Connection closed by UNKNOWN" In /var/log/secure , I see this fatal: Access denied for user t-temp by PAM account configuration. Any pointers, what I would have done wrong in the setup or if I would have missed something. Thanks. Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can I revert back the hostname on client
What doesn't work? We have glassfish running on few of the hosts. That refuses to restart after the hostname change. ( However, looks like someone found a way out). I did not face issues with that today. So, that I guess is pretty much fixable. Apart from that, At the moment we do not see any other issues. The only issue I can think is incase you have your scripts/applications referring to your machine with its host-names instead of IP wont that cause a problem? You can tell SSSD to use a different hostname instead of the one the host actually uses. See SSSD man pages for that. You might also need to do a similar thing with krb5.conf by setting dns_canonicalize_hostname and make sure your DNS can actually resolve the short hostnames to FQDNs Will give this a try. On Wed, Jan 14, 2015 at 11:58 PM, Dmitri Pal d...@redhat.com wrote: On 01/14/2015 03:38 AM, Petr Spacek wrote: Hello, On 14.1.2015 06:13, Rakesh Rajasekharan wrote: Freeipa changes the hostname to FQDN. But in our exisitng set up that can cause issues . Could you be more specific? It would help if we had detailed bug reports about this but up to know everybody just said 'I need non-FQDN hostname' but did not add any details :-) What doesn't work? Can I revert back the hostname to previous value once the client installation is complete. You might see all sorts of breakages related to Kerberos, sorry. I am fine with server having a FQDN. You can tell SSSD to use a different hostname instead of the one the host actually uses. See SSSD man pages for that. You might also need to do a similar thing with krb5.conf by setting dns_canonicalize_hostname and make sure your DNS can actually resolve the short hostnames to FQDNs -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Can I revert back the hostname on client
Hi, Freeipa changes the hostname to FQDN. But in our exisitng set up that can cause issues . Can I revert back the hostname to previous value once the client installation is complete. I am fine with server having a FQDN. Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa authentication token manipulation error
Thanks, that worked.. users now able to get the password changed with any issues... Will do few more testing on this but at this point looks like that was the issue ~Rakesh On Tue, Jan 13, 2015 at 1:52 PM, Sumit Bose sb...@redhat.com wrote: On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote: Does it work for the same user from the client if you reset password on the server, authenticate from the client and then force reset again on the server? When I force reset a user, he stil faces the same error token manipulation when tries to login to a client. However, when he tries getting into the server, he now gets prompted for the password change and is successfully able to get through. So, at this point we have a workaround though something seems not right at the clients. Can you add a new client and see whether it works there? Have you tried re-installing the client? Yes, I did try reinstalling but that did not help Sorry, I meant the full krb5_child.log ... This is how I get the logs in krb5_child. when a user tries to authenticate with the random password that I generated, WARNING: Your password has expired. You must change your password now and login again! Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation erro And on the krb5_child.log, these are the entries (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test@test.com] (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test@test.com). (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [main] (0x0400): Will perform password change (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:47:39 2015) [[sssd[krb5_child[18004 [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] This does not go beyond this. however, when i attempt another login , the logs start moving from this point( the time stamp start from 6:54 AM) WARNING: Your password has expired. You must change your password now and login again! Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation erro now the krb5_child.log adds following lines (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400): krb5_child started. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer] (0x1000): total buffer size: [134]TEST (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer] (0x0100): cmd [241] uid [71061] gid [71061] validate [true] enterprise principal [false] offline [false] UPN [hq-testu...@test.com] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test@test.com] (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test@test.com). (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [main] (0x0400): Will perform online auth (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514 [tgt_req_child] (0x1000): Attempting to get a TGT (Tue Jan 13 06:54:52 2015) [[sssd[krb5_child[23514
Re: [Freeipa-users] freeipa authentication token manipulation error
The sssd version is 1.11.6 The password does not get changed, whatever password gets generated by ipa user-mod --random stays valid even after attempting the change. krb5_child.log does not have any contents. Thanks, Rakesh On Sun, Jan 11, 2015 at 9:01 PM, Jakub Hrozek jhro...@redhat.com wrote: On Sun, Jan 11, 2015 at 02:31:26PM +0530, Rakesh Rajasekharan wrote: Hi, I am having some issues with freeipa. Whenever I change the password for any user, He is not able to change the password. and he gets error authentication token manipualtion error Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation error I was able to get this running on another environment not sure whats went wrong here. I have migrated my exisitng users from openldap . Thanks, Rakesh What is the sssd version? Is the password changed despite the error (you can test with kinit and either the new or the old password) ? Increasing sssd log verbosity and checking krb5_child.log might help, too. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa authentication token manipulation error
This is what I get now a=in the krb5_child.log after setting the debug_level Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab: [/etc/krb5.keytab] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test@test.com)] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test@test.com). (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [main] (0x0400): Will perform password change (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child] (0x1000): Password change operation (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik lsleb...@redhat.com wrote: On (12/01/15 14:12), Rakesh Rajasekharan wrote: The sssd version is 1.11.6 The password does not get changed, whatever password gets generated by ipa user-mod --random stays valid even after attempting the change. krb5_child.log does not have any contents. The logging in sssd is dibsabled by default. You need to increase level of verbosity. Put debug_level = 7 into domain section and restart sssd. It is also possible to change debug level on the fly with comand line utility sss_debuglevel (part of pacakge sssd-tools) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa authentication token manipulation error
under /var/log/secure.. have this error passwd: pam_sss(passwd:chauthtok): Password change failed for user hq-testuser: 22 (Authentication token lock busy) On Mon, Jan 12, 2015 at 3:25 PM, Rakesh Rajasekharan rakesh.rajasekha...@gmail.com wrote: This is what I get now a=in the krb5_child.log after setting the debug_level Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab: [/etc/krb5.keytab] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test@test.com)] (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test@test.com). (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [main] (0x0400): Will perform password change (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child] (0x1000): Password change operation (Mon Jan 12 09:51:14 2015) [[sssd[krb5_child[21709 [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] On Mon, Jan 12, 2015 at 2:31 PM, Lukas Slebodnik lsleb...@redhat.com wrote: On (12/01/15 14:12), Rakesh Rajasekharan wrote: The sssd version is 1.11.6 The password does not get changed, whatever password gets generated by ipa user-mod --random stays valid even after attempting the change. krb5_child.log does not have any contents. The logging in sssd is dibsabled by default. You need to increase level of verbosity. Put debug_level = 7 into domain section and restart sssd. It is also possible to change debug level on the fly with comand line utility sss_debuglevel (part of pacakge sssd-tools) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa authentication token manipulation error
(Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [main] (0x0400): krb5_child started. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [unpack_buffer] (0x1000): total buffer size: [134] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [unpack_buffer] (0x0100): cmd [247] uid [71061] gid [71061] validate [true] enterprise principal [false] offline [false] UPN [hq-testu...@test.com] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test@test.com] (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test@test.com). (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [main] (0x0400): Will perform password change checks (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:55:00 2015) [[sssd[krb5_child[23595 [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595 [changepw_child] (0x1000): Initial authentication for change password operation successful. (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595 [k5c_send_data] (0x0200): Received error code 0 (Tue Jan 13 06:55:03 2015) [[sssd[krb5_child[23595 [main] (0x0400): krb5_child completed successfully (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [main] (0x0400): krb5_child started. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [unpack_buffer] (0x1000): total buffer size: [153] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [unpack_buffer] (0x0100): cmd [246] uid [71061] gid [71061] validate [true] enterprise principal [false] offline [false] UPN [hq-testu...@test.com] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_71061_XX] keytab: [/etc/krb5.keytab] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ qa-dummy-int.test@test.com] (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [match_principal] (0x1000): Principal matched to the sample (host/ qa-dummy-int.test@test.com). (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [main] (0x0400): Will perform password change (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [changepw_child] (0x1000): Password change operation (Tue Jan 13 06:55:13 2015) [[sssd[krb5_child[24241 [changepw_child] (0x0400): Attempting kinit for realm [TEST.COM] and again the last line is attempting kinit for realm Thanks, Rakesh On Tue, Jan 13, 2015 at 1:05 AM, Dmitri Pal d...@redhat.com wrote: On 01/12/2015 12:55 PM, Rakesh Rajasekharan wrote: This is the full log, Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser from 10.5.68.184 port 54048 ssh2 Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session opened for user hq-testuser by (uid=0) Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user hq-testuser does not exist in /etc/passwd Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user hq-testuser does not exist in /etc/passwd Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password change failed for user hq-testuser: 22 (Authentication token lock busy) Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 10.5.68.184: 11: disconnected by user Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session closed for user hq-testuser Does it happen for all users or only
Re: [Freeipa-users] freeipa authentication token manipulation error
This is the full log, Jan 12 17:45:15 10-5-68-5 sshd[29753]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Jan 12 17:45:15 10-5-68-5 sshd[29753]: Accepted password for hq-testuser from 10.5.68.184 port 54048 ssh2 Jan 12 17:45:16 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session opened for user hq-testuser by (uid=0) Jan 12 17:45:16 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user hq-testuser does not exist in /etc/passwd Jan 12 17:45:35 10-5-68-5 passwd: pam_unix(passwd:chauthtok): user hq-testuser does not exist in /etc/passwd Jan 12 17:45:41 10-5-68-5 passwd: pam_sss(passwd:chauthtok): Password change failed for user hq-testuser: 22 (Authentication token lock busy) Jan 12 17:45:43 10-5-68-5 sshd[30329]: Received disconnect from 10.5.68.184: 11: disconnected by user Jan 12 17:45:43 10-5-68-5 sshd[29753]: pam_unix(sshd:session): session closed for user hq-testuser Does it happen for all users or only users that you migrated? Yes it happens for all, I created a new user ( hq-testuser) is a fresh one that I created. I found a workaround for this , users are able to successfully change the password by connecting to the IPA master server. So, its only the ipa clients that have the issue. Thanks, Rakesh On Mon, Jan 12, 2015 at 10:57 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 12, 2015 at 04:01:32PM +0530, Rakesh Rajasekharan wrote: under /var/log/secure.. have this error passwd: pam_sss(passwd:chauthtok): Password change failed for user hq-testuser: 22 (Authentication token lock busy) It looks like the log was trucated, can you post more context? Authentication token lock busy usually means the kadmin servers were offline.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa authentication token manipulation error
Hi, I am having some issues with freeipa. Whenever I change the password for any user, He is not able to change the password. and he gets error authentication token manipualtion error Changing password for user hq-testuser. Current Password: New password: Retype new password: passwd: Authentication token manipulation error I was able to get this running on another environment not sure whats went wrong here. I have migrated my exisitng users from openldap . Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project